if (len < 4)
goto error;
bytes = GET_32BIT(d);
- if (len < 4+bytes)
+ if (bytes < 0 || len-4 < bytes)
goto error;
ret->start = d + 4;
if (*datalen < 4)
return;
*length = GET_32BIT(*data);
+ if (*length < 0)
+ return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)
}
#endif
- if (!p || memcmp(p, "ssh-dss", 7)) {
+ if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
sfree(dss);
return NULL;
}
if (*datalen < 4)
return;
*length = GET_32BIT(*data);
+ if (*length < 0)
+ return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)