From: Simon Tatham <anakin@pobox.com>
Date: Wed, 25 Jan 2017 19:47:08 +0000 (+0000)
Subject: Fix an integer overflow in get_ssh_string.
X-Git-Tag: 0.68~70
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=19467455fe7840ab146f47136c88f61c87365e8c;p=PuTTY.git

Fix an integer overflow in get_ssh_string.

If the length field in the input data was so large that adding 4 to it
caused wraparound, the error check could fail to trigger. Fortunately,
this praticular get_ssh_string function is only used during private
key import from foreign file formats, so it won't be facing hostile
data.
---

diff --git a/misc.c b/misc.c
index ed6290f5..5fd58a13 100644
--- a/misc.c
+++ b/misc.c
@@ -1118,7 +1118,7 @@ void *get_ssh_string(int *datalen, const void **data, int *stringlen)
     if (*datalen < 4)
         return NULL;
     len = GET_32BIT_MSB_FIRST((const unsigned char *)*data);
-    if (*datalen < len+4)
+    if (*datalen - 4 < len)
         return NULL;
     ret = (void *)((const char *)*data + 4);
     *datalen -= len + 4;