This fixes a potential crash bug, a client can make us read memory we
should not read. Luckily I got the disp checks right...
Volker
(cherry picked from commit
64a1d80851da5b05e70ec6c96f6e9bd473748369)
goto bad_param;
}
- if (ddisp > av_size ||
+ if (doff > av_size ||
dcnt > av_size ||
- ddisp+dcnt > av_size ||
- ddisp+dcnt < ddisp) {
+ doff+dcnt > av_size ||
+ doff+dcnt < doff) {
goto bad_param;
}
goto bad_param;
}
- if (ddisp > av_size ||
+ if (doff > av_size ||
dcnt > av_size ||
- ddisp+dcnt > av_size ||
- ddisp+dcnt < ddisp) {
+ doff+dcnt > av_size ||
+ doff+dcnt < doff) {
goto bad_param;
}
goto bad_param;
}
- if (ddisp > av_size ||
+ if (doff > av_size ||
dcnt > av_size ||
- ddisp+dcnt > av_size ||
- ddisp+dcnt < ddisp) {
+ doff+dcnt > av_size ||
+ doff+dcnt < doff) {
goto bad_param;
}