From dd84600b5fa3a2588acdcaf80d92fd358a82aebe Mon Sep 17 00:00:00 2001
From: Zac Medico <zmedico@gentoo.org>
Date: Sun, 27 Oct 2019 13:03:28 -0700
Subject: [PATCH 1/3] bdeltaReconstructDCBuff: validate int_size

The int_size must be in the range 1 to 4 in order to avoid BUFF_SIZE
overflow or a negative left shift.

Bug: https://bugs.gentoo.org/543310
Reported-by: Aidan Thornton <makosoft@googlemail.com>
Signed-off-by: Zac Medico <zmedico@gentoo.org>
---
 libdiffball/bdelta.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libdiffball/bdelta.c b/libdiffball/bdelta.c
index 195ca3d..487140c 100644
--- a/libdiffball/bdelta.c
+++ b/libdiffball/bdelta.c
@@ -171,6 +171,8 @@ bdeltaReconstructDCBuff(DCB_SRC_ID src_id, cfile *patchf, CommandBuffer *dcbuff)
 	cread(patchf, buff, 1);
 	int_size = buff[0];
 	v2printf("int_size=%u\n", int_size);
+	if(int_size < 1 || int_size > 4)
+		return PATCH_CORRUPT_ERROR;
 	/* yes, this is an intentional switch fall through. */
 	switch(int_size) {
 		case 1: or_mask |= 0x0000ff00;

From db4a965ca35ae247713bcd5b0d94ef776cdabc15 Mon Sep 17 00:00:00 2001
From: Zac Medico <zmedico@gentoo.org>
Date: Sun, 27 Oct 2019 13:53:05 -0700
Subject: [PATCH 2/3] gdiffReconstructDCBuff: increase buff_size from 5 to 13

The buff_size must be at least 13 in order to accomodate cread and
readUBytesBE calls relative to buff + 1 with ob = 8 and lb = 4.

Bug: https://bugs.gentoo.org/543310
Reported-by: Aidan Thornton <makosoft@googlemail.com>
Signed-off-by: Zac Medico <zmedico@gentoo.org>
---
 libdiffball/gdiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libdiffball/gdiff.c b/libdiffball/gdiff.c
index 6df0f1f..8d065e9 100644
--- a/libdiffball/gdiff.c
+++ b/libdiffball/gdiff.c
@@ -192,7 +192,7 @@ signed int
 gdiffReconstructDCBuff(DCB_SRC_ID  src_id, cfile *patchf, CommandBuffer *dcbuff, 
 		unsigned int offset_type)
 {
-	const unsigned int buff_size = 5;
+	const unsigned int buff_size = 13;
 	unsigned char buff[buff_size];
 	off_u32 len, dc_pos=0;
 	off_u64 ver_pos=0;

From 4e60e54a11fc1de0a85f54b9332062b173f98676 Mon Sep 17 00:00:00 2001
From: Zac Medico <zmedico@gentoo.org>
Date: Sun, 27 Oct 2019 14:49:16 -0700
Subject: [PATCH 3/3] readXDInt: limit count to 31

Since buff points to a 32-byte stack buffer, count must not exceed 31.

Bug: https://bugs.gentoo.org/543310
Reported-by: Aidan Thornton <makosoft@googlemail.com>
Signed-off-by: Zac Medico <zmedico@gentoo.org>
---
 libdiffball/xdelta1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libdiffball/xdelta1.c b/libdiffball/xdelta1.c
index 563d1cc..1902f91 100644
--- a/libdiffball/xdelta1.c
+++ b/libdiffball/xdelta1.c
@@ -54,7 +54,7 @@ readXDInt(cfile *patchf, unsigned char *buff)
 	do {
 		count++;
 		cread(patchf, buff + count, 1);
-	} while(buff[count] & 0x80);
+	} while(count < 31 && buff[count] & 0x80);
 	for(; count >= 0; count--) {
 		num <<= 7;
 		num |= (buff[count] & 0x7f);