--- putty/import.c 2013/07/07 14:34:37 9895
+++ putty/import.c 2013/07/08 22:36:04 9896
@@ -290,7 +290,7 @@
if (len < 4)
goto error;
bytes = GET_32BIT(d);
- if (len < 4+bytes)
+ if (bytes < 0 || len-4 < bytes)
goto error;
ret->start = d + 4;
--- putty/sshdss.c 2013/07/07 14:34:37 9895
+++ putty/sshdss.c 2013/07/08 22:36:04 9896
@@ -43,6 +43,8 @@
if (*datalen < 4)
return;
*length = GET_32BIT(*data);
+ if (*length < 0)
+ return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)
@@ -98,7 +100,7 @@
}
#endif
- if (!p || memcmp(p, "ssh-dss", 7)) {
+ if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
sfree(dss);
return NULL;
}
--- putty/sshrsa.c 2013/07/07 14:34:37 9895
+++ putty/sshrsa.c 2013/07/08 22:36:04 9896
@@ -526,6 +526,8 @@
if (*datalen < 4)
return;
*length = GET_32BIT(*data);
+ if (*length < 0)
+ return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)