From 76ba385488b58232cb70364e7c53134cd56ffb59 Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Mon, 8 Jul 2013 22:36:04 +0000
Subject: [PATCH] GH-79: backport supposed fix for CVE-2013-4852

"Add an assortment of extra safety checks."

Direct cherry-pick of svn://svn.tartarus.org/sgt/putty@9896
---
 import.c | 2 +-
 sshdss.c | 4 +++-
 sshrsa.c | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/import.c b/import.c
index 20a77e5fe..18209aa2f 100644
--- a/import.c
+++ b/import.c
@@ -290,7 +290,7 @@ static int ssh2_read_mpint(void *data, int len, struct mpint_pos *ret)
     if (len < 4)
         goto error;
     bytes = GET_32BIT(d);
-    if (len < 4+bytes)
+    if (bytes < 0 || len-4 < bytes)
         goto error;
 
     ret->start = d + 4;
diff --git a/sshdss.c b/sshdss.c
index 7c95d11b6..3a16c7e02 100644
--- a/sshdss.c
+++ b/sshdss.c
@@ -43,6 +43,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
     if (*datalen < 4)
 	return;
     *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)
@@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int len)
     }
 #endif
 
-    if (!p || memcmp(p, "ssh-dss", 7)) {
+    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 	sfree(dss);
 	return NULL;
     }
diff --git a/sshrsa.c b/sshrsa.c
index 0c1b2ef5a..4abc88cc9 100644
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -526,6 +526,8 @@ static void getstring(char **data, int *datalen, char **p, int *length)
     if (*datalen < 4)
 	return;
     *length = GET_32BIT(*data);
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)