# HG changeset patch # User Matt Johnston # Date 1468251258 -28800 # Node ID 6914eedb10721db4833c8f005b4acd37f71fb975 # Parent b66a483f3dcb66a70341845dd36e922ddaee4c5a additional length checks diff -r b66a483f3dcb -r 6914eedb1072 buffer.c --- a/buffer.c Mon Jul 11 23:09:33 2016 +0800 +++ b/buffer.c Mon Jul 11 23:34:18 2016 +0800 @@ -141,9 +141,10 @@ /* increment the position by incr, negative values are allowed, to * decrement the pos*/ void buf_incrpos(buffer* buf, int incr) { - if (incr > BUF_MAX_INCR || - (unsigned int)((int)buf->pos + incr) > buf->len - || ((int)buf->pos + incr) < 0) { + if (incr > BUF_MAX_INCR + || incr < -BUF_MAX_INCR + || (unsigned int)((int)buf->pos + incr) > buf->len + || ((int)buf->pos + incr) < 0) { dropbear_exit("Bad buf_incrpos"); } buf->pos += incr; @@ -184,7 +185,7 @@ * the next len bytes from that position can be used */ unsigned char* buf_getptr(buffer* buf, unsigned int len) { - if (buf->pos + len > buf->len) { + if (len > BUF_MAX_INCR || buf->pos + len > buf->len) { dropbear_exit("Bad buf_getptr"); } return &buf->data[buf->pos]; @@ -194,7 +195,7 @@ * This allows writing past the used length, but not past the size */ unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) { - if (buf->pos + len > buf->size) { + if (len > BUF_MAX_INCR || buf->pos + len > buf->size) { dropbear_exit("Bad buf_getwriteptr"); } return &buf->data[buf->pos];