Tweak bounds checks in pageant_add_keyfile.

[PuTTY.git] / pageant.c

diff --git a/pageant.c b/pageant.c
index 68bfab5309f134f3fe3a60c09d2944b3f20a3e22..31a5540c45f9d36275d532de5fad93d6e6f36b50 100644 (file)
--- a/pageant.c
+++ b/pageant.c
@@ -1344,8 +1344,11 @@ int pageant_add_keyfile(Filename *filename, const char *passphrase,
                         *retstr = dupstr("Received broken key list from agent");
                         return PAGEANT_ACTION_FAILURE;
                    }
-                   n = toint(4 + GET_32BIT(p));
-                   if (n < 0 || keylistlen < n) {
+                   n = GET_32BIT(p);
+                    p += 4;
+                    keylistlen -= 4;
+
+                   if (n < 0 || n > keylistlen) {
                         *retstr = dupstr("Received broken key list from agent");
                         return PAGEANT_ACTION_FAILURE;
                    }
@@ -1359,8 +1362,11 @@ int pageant_add_keyfile(Filename *filename, const char *passphrase,
                         *retstr = dupstr("Received broken key list from agent");
                         return PAGEANT_ACTION_FAILURE;
                    }
-                   n = toint(4 + GET_32BIT(p));
-                   if (n < 0 || keylistlen < n) {
+                   n = GET_32BIT(p);
+                    p += 4;
+                    keylistlen -= 4;
+
+                   if (n < 0 || n > keylistlen) {
                         *retstr = dupstr("Received broken key list from agent");
                         return PAGEANT_ACTION_FAILURE;
                    }