From 0141b974456806491bff73e238e634cd0e505350 Mon Sep 17 00:00:00 2001
From: Gabriel Terwesten <gabriel@terwesten.net>
Date: Sun, 6 Nov 2022 17:17:08 +0100
Subject: [PATCH] Prevent buffer overflow in `Value::getStringBytes`

---
 Fleece/Core/Value.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Fleece/Core/Value.cc b/Fleece/Core/Value.cc
index 8955d780..9b06be21 100644
--- a/Fleece/Core/Value.cc
+++ b/Fleece/Core/Value.cc
@@ -158,6 +158,9 @@ namespace fleece { namespace impl {
             // This means the actual length follows as a varint:
             uint32_t length;
             size_t lengthBytes = GetUVarInt32(s, &length);
+            if (_usuallyFalse(lengthBytes == 0))
+                // Invalid data, but I'm not allowed to throw an exception.
+                return nullslice;
             return slice(&s[lengthBytes], length);
         }
         return s;