From 320f41fc1fad3a4b7295873f8041131a139a33c2 Mon Sep 17 00:00:00 2001
From: Michael Zillgith <michael.zillgith@mz-automation.de>
Date: Sat, 4 Jan 2020 16:19:56 +0100
Subject: [PATCH] - check return value of getNumberOfElements in
 MmsValue_decodeMmsData

---
 src/mms/iso_mms/server/mms_access_result.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/mms/iso_mms/server/mms_access_result.c b/src/mms/iso_mms/server/mms_access_result.c
index 475b726e..bdb75114 100644
--- a/src/mms/iso_mms/server/mms_access_result.c
+++ b/src/mms/iso_mms/server/mms_access_result.c
@@ -171,9 +171,11 @@ MmsValue_decodeMmsData(uint8_t* buffer, int bufPos, int bufferLength, int* endBu
     case 0xa1: /* MMS_ARRAY */
     case 0xa2: /* MMS_STRUCTURE */
     {
-
         int elementCount = getNumberOfElements(buffer, bufPos, dataLength);
 
+        if (elementCount < 0)
+            goto exit_with_error;
+
         if (tag == 0xa1)
             value = MmsValue_createEmptyArray(elementCount);
         else