# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1468251258 -28800
# Node ID 6914eedb10721db4833c8f005b4acd37f71fb975
# Parent  b66a483f3dcb66a70341845dd36e922ddaee4c5a
additional length checks

diff -r b66a483f3dcb -r 6914eedb1072 buffer.c
--- a/buffer.c	Mon Jul 11 23:09:33 2016 +0800
+++ b/buffer.c	Mon Jul 11 23:34:18 2016 +0800
@@ -141,9 +141,10 @@
 /* increment the position by incr, negative values are allowed, to
  * decrement the pos*/
 void buf_incrpos(buffer* buf,  int incr) {
-	if (incr > BUF_MAX_INCR ||
-			(unsigned int)((int)buf->pos + incr) > buf->len 
-			|| ((int)buf->pos + incr) < 0) {
+	if (incr > BUF_MAX_INCR 
+		|| incr < -BUF_MAX_INCR 
+		|| (unsigned int)((int)buf->pos + incr) > buf->len
+		|| ((int)buf->pos + incr) < 0) {
 		dropbear_exit("Bad buf_incrpos");
 	}
 	buf->pos += incr;
@@ -184,7 +185,7 @@
  * the next len bytes from that position can be used */
 unsigned char* buf_getptr(buffer* buf, unsigned int len) {
 
-	if (buf->pos + len > buf->len) {
+	if (len > BUF_MAX_INCR || buf->pos + len > buf->len) {
 		dropbear_exit("Bad buf_getptr");
 	}
 	return &buf->data[buf->pos];
@@ -194,7 +195,7 @@
  * This allows writing past the used length, but not past the size */
 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
 
-	if (buf->pos + len > buf->size) {
+	if (len > BUF_MAX_INCR || buf->pos + len > buf->size) {
 		dropbear_exit("Bad buf_getwriteptr");
 	}
 	return &buf->data[buf->pos];