From c236b409799117eb10770bb7225d10d8409dee35 Mon Sep 17 00:00:00 2001
From: root <root>
Date: Fri, 7 Jul 2006 15:34:11 +0000
Subject: *** empty log message ***

---
 lzf_d.c | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

(limited to 'lzf_d.c')

diff --git a/lzf_d.c b/lzf_d.c
index d0229d7..73a1a80 100644
--- a/lzf_d.c
+++ b/lzf_d.c
@@ -68,6 +68,14 @@ lzf_decompress (const void *const in_data,  unsigned int in_len,
               return 0;
             }
 
+#if CHECK_INPUT
+          if (ip + ctrl > in_end)
+            {
+              SET_ERRNO (EINVAL);
+              return 0;
+            }
+#endif
+
 #if USE_MEMCPY
           memcpy (op, ip, ctrl);
           op += ctrl;
@@ -84,9 +92,25 @@ lzf_decompress (const void *const in_data,  unsigned int in_len,
 
           u8 *ref = op - ((ctrl & 0x1f) << 8) - 1;
 
+#if CHECK_INPUT
+          if (ip >= in_end)
+            {
+              SET_ERRNO (EINVAL);
+              return 0;
+            }
+#endif
           if (len == 7)
-            len += *ip++;
-          
+            {
+              len += *ip++;
+#if CHECK_INPUT
+              if (ip >= in_end)
+                {
+                  SET_ERRNO (EINVAL);
+                  return 0;
+                }
+#endif
+            }
+
           ref -= *ip++;
 
           if (op + len + 2 > out_end)
@@ -109,7 +133,7 @@ lzf_decompress (const void *const in_data,  unsigned int in_len,
           while (--len);
         }
     }
-  while (op < out_end && ip < in_end);
+  while (ip < in_end);
 
   return op - (u8 *)out_data;
 }
-- 
cgit v1.2.3