From ba185c45cdd6fc330615aaff79e9b7f8923f5913 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 18 Jan 2025 23:22:33 +0100
Subject: [PATCH] PALSARJaxa: avoid out-of-range access (likely master only /
 related to RFC105)

Fixes https://issues.oss-fuzz.com/issues/390565839
and https://issues.oss-fuzz.com/issues/390464881
---
 frmts/jaxapalsar/jaxapalsardataset.cpp | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/frmts/jaxapalsar/jaxapalsardataset.cpp b/frmts/jaxapalsar/jaxapalsardataset.cpp
index d8ef19f4b95e..ed8371857e7e 100644
--- a/frmts/jaxapalsar/jaxapalsardataset.cpp
+++ b/frmts/jaxapalsar/jaxapalsardataset.cpp
@@ -513,10 +513,13 @@ int PALSARJaxaDataset::Identify(GDALOpenInfo *poOpenInfo)
         return 0;
 
     /* First, check that this is a PALSAR image indeed */
-    if (!STARTS_WITH_CI((char *)(poOpenInfo->pabyHeader + 60), "AL") ||
-        !STARTS_WITH_CI(
-            CPLGetBasenameSafe(poOpenInfo->pszFilename).substr(4).c_str(),
-            "ALPSR"))
+    if (!STARTS_WITH_CI((char *)(poOpenInfo->pabyHeader + 60), "AL"))
+    {
+        return 0;
+    }
+    const std::string osBasename = CPLGetBasenameSafe(poOpenInfo->pszFilename);
+    if (osBasename.size() < 9 ||
+        !STARTS_WITH_CI(osBasename.c_str() + 4, "ALPSR"))
     {
         return 0;
     }