From 16aaf5819849e39a07788b997c597ce2b1c852a1 Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Sun, 29 Mar 2026 20:41:56 -0700
Subject: [PATCH] fix: M2 readString uint32 overflow in bounds check

offset + length was computed in uint32_t before comparing to size_t.
A crafted M2 with offset=0xFFFFFFFF, length=2 wraps to 1 in uint32,
passing the check and reading out of bounds. Now uses size_t arithmetic,
matching the readArray fix from an earlier round.
---
 src/pipeline/m2_loader.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/pipeline/m2_loader.cpp b/src/pipeline/m2_loader.cpp
index f8af506e..1b518d37 100644
--- a/src/pipeline/m2_loader.cpp
+++ b/src/pipeline/m2_loader.cpp
@@ -364,7 +364,10 @@ std::vector<T> readArray(const std::vector<uint8_t>& data, uint32_t offset, uint
 }
 
 std::string readString(const std::vector<uint8_t>& data, uint32_t offset, uint32_t length) {
-    if (offset + length > data.size()) {
+    // Use size_t arithmetic to prevent uint32 wraparound (same fix as readArray).
+    // A crafted M2 with offset=0xFFFFFFFF, length=2 would wrap to 1 in uint32,
+    // passing the check and reading out of bounds.
+    if (static_cast<size_t>(offset) + static_cast<size_t>(length) > data.size()) {
         return "";
     }