Out-of-Bounds Read in decode_sbstype6 for PRN Mask > 51 Bits

[tech-nickel]

Issue Summary:
The decode_sbstype6 function in sbas.c may perform an array out-of-bounds read when handling a PRN mask set to more than 51 bits.

RTKLIB/src/sbas.c

Line 201 in 71db0ff

if (sbssat->sat[i].fcorr.iodf!=iodf[i/13]) continue;

Details:

• Standard Violation: According to Annex 10, Volume 1 (Aeronautical Telecommunications), a PRN mask should only be processed with 51 or less bits set to 1.
• Technical Insight: The iodf[4] array is initialized to handle segments of up to 13 satellites, assuming that the PRN mask does not exceed 51 bits. With MAXSAT set to 229 possible satellites, accessing the iodf array with iodf[i/13] risks out-of-bounds reads if the PRN mask is set to more than 51 bits against the standard.
• Potential Impact: This issue can lead to undefined behavior, including segmentation faults.

Suggested Fix:
Implement checks to enforce the PRN mask limit as per Annex 10 before processing the PRN mask in decode_sbstype6.

Steps to Reproduce:

1. Process an SBAS message with the PRN mask set to more than 51 bits in decode_sbstype6.
2. Observe the behavior or error due to out-of-bounds array access.

[nahuelmol]

I was reading the code but I don't understand how is justified the use of 13 for grouping satellites. Maybe Iam overlooking something