From 5fb34d8324d3e7e0061df25d0086b64c8726b19d Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Mon, 26 Jan 2009 14:33:28 +0200
Subject: Add more sanity checks to lzma_stream_buffer_decode().

---
 src/liblzma/common/stream_buffer_decoder.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/liblzma')

diff --git a/src/liblzma/common/stream_buffer_decoder.c b/src/liblzma/common/stream_buffer_decoder.c
index 2418e420..aef2b982 100644
--- a/src/liblzma/common/stream_buffer_decoder.c
+++ b/src/liblzma/common/stream_buffer_decoder.c
@@ -26,6 +26,13 @@ lzma_stream_buffer_decode(uint64_t *memlimit, uint32_t flags,
 		const uint8_t *in, size_t *in_pos, size_t in_size,
 		uint8_t *out, size_t *out_pos, size_t out_size)
 {
+	// Sanity checks
+	if (in_pos == NULL || (in == NULL && *in_pos != in_size)
+			|| *in_pos > in_size || out_pos == NULL
+			|| (out == NULL && *out_pos != out_size)
+			|| *out_pos > out_size)
+		return LZMA_PROG_ERROR;
+
 	// Catch flags that are not allowed in buffer-to-buffer decoding.
 	if (flags & LZMA_TELL_ANY_CHECK)
 		return LZMA_PROG_ERROR;
-- 
cgit v1.2.3