commit - 53509745676dbd3d9665b66f638ca74b1fdd5af1
commit + b2f7af546d38b360167a7e30a795ea9f2e91ddf7
blob - 9959137774da2dd00f419381147d0952d0d20785
blob + 40c9a34cc71199d0d450d917eecec341f671beec
--- lib/delta.c
+++ lib/delta.c
#include <stdio.h>
#include <stdlib.h>
+#include <stdint.h>
#include <string.h>
#include <zlib.h>
#include <sha1.h>
err = parse_opcode(&offset, &len, &p, &remain);
if (err)
break;
- if (base_bufsz < offset + len ||
+ if (SIZE_MAX - offset < len || offset + len < 0 ||
+ base_bufsz < offset + len ||
*outsize + len > maxoutsize)
return got_error(GOT_ERR_BAD_DELTA);
memcpy(outbuf + *outsize, base_buf + offset, len);
err = next_delta_byte(&p, &remain);
if (err)
break;
- if (remain < len || *outsize + len > maxoutsize)
+ if (remain < len || SIZE_MAX - *outsize < len ||
+ *outsize + len > maxoutsize)
return got_error(GOT_ERR_BAD_DELTA);
memcpy(outbuf + *outsize, p, len);
p += len;