From d9945f6f50a8c967888cd9c2ebe65ffbe462056e Mon Sep 17 00:00:00 2001
From: Arvid Norberg <arvid@libtorrent.org>
Date: Tue, 2 Jun 2015 01:29:05 +0000
Subject: [PATCH] merged fix from RC_1_0

---
 ChangeLog            |  1 +
 src/lazy_bdecode.cpp | 12 +++++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/lazy_bdecode.cpp b/src/lazy_bdecode.cpp
index 785c6d6..de47ed9 100644
--- a/src/lazy_bdecode.cpp
+++ b/src/lazy_bdecode.cpp
@@ -150,7 +150,9 @@
 					if (e)
 						TORRENT_FAIL_BDECODE(e);
 
-					if (start + len + 1 > end)
+					// remaining buffer size excluding ':'
+					const ptrdiff_t buff_size = end - start - 1;
+					if (len > buff_size)
 						TORRENT_FAIL_BDECODE(errors::unexpected_eof);
 
 					if (len < 0)
@@ -216,15 +218,19 @@
 					start = parse_int(start, end, ':', len, e);
 					if (e)
 						TORRENT_FAIL_BDECODE(e);
-					if (start + len + 1 > end)
+
+					// remaining buffer size excluding ':'
+					const ptrdiff_t buff_size = end - start - 1;
+					if (len > buff_size)
 						TORRENT_FAIL_BDECODE(errors::unexpected_eof);
 					if (len < 0)
 						TORRENT_FAIL_BDECODE(errors::overflow);
 
 					++start;
+					if (start == end) TORRENT_FAIL_BDECODE(errors::unexpected_eof);
 					top->construct_string(start, int(len));
-					stack.pop_back();
 					start += len;
+					stack.pop_back();
 					continue;
 				}
 			}