From d9945f6f50a8c967888cd9c2ebe65ffbe462056e Mon Sep 17 00:00:00 2001 From: Arvid Norberg <arvid@libtorrent.org> Date: Tue, 2 Jun 2015 01:29:05 +0000 Subject: [PATCH] merged fix from RC_1_0 --- ChangeLog | 1 + src/lazy_bdecode.cpp | 12 +++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/lazy_bdecode.cpp b/src/lazy_bdecode.cpp index 785c6d6..de47ed9 100644 --- a/src/lazy_bdecode.cpp +++ b/src/lazy_bdecode.cpp @@ -150,7 +150,9 @@ if (e) TORRENT_FAIL_BDECODE(e); - if (start + len + 1 > end) + // remaining buffer size excluding ':' + const ptrdiff_t buff_size = end - start - 1; + if (len > buff_size) TORRENT_FAIL_BDECODE(errors::unexpected_eof); if (len < 0) @@ -216,15 +218,19 @@ start = parse_int(start, end, ':', len, e); if (e) TORRENT_FAIL_BDECODE(e); - if (start + len + 1 > end) + + // remaining buffer size excluding ':' + const ptrdiff_t buff_size = end - start - 1; + if (len > buff_size) TORRENT_FAIL_BDECODE(errors::unexpected_eof); if (len < 0) TORRENT_FAIL_BDECODE(errors::overflow); ++start; + if (start == end) TORRENT_FAIL_BDECODE(errors::unexpected_eof); top->construct_string(start, int(len)); - stack.pop_back(); start += len; + stack.pop_back(); continue; } }