From c065ca480f3839bf3935750b1b16c4ccd56c87fc Mon Sep 17 00:00:00 2001
From: kumpera <kumpera@e3ebcda4-bce8-0310-ba0a-eca2169e7518>
Date: Tue, 13 Apr 2010 22:59:06 +0000
Subject: [PATCH] 2010-04-13 Rodrigo Kumpera  <rkumpera@novell.com>

	* metadata-verify.c (decode_signature_header): Do proper
	overflow checking.

git-svn-id: svn+ssh://mono-cvs.ximian.com/source/trunk/mono@155339 e3ebcda4-bce8-0310-ba0a-eca2169e7518
---
 mono/metadata/ChangeLog         | 4 ++++
 mono/metadata/metadata-verify.c | 8 +++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/mono/metadata/ChangeLog b/mono/metadata/ChangeLog
index e22762ff8..5463e4c71 100644
--- a/mono/metadata/ChangeLog
+++ b/mono/metadata/ChangeLog
@@ -1,3 +1,7 @@
+2010-04-13 Rodrigo Kumpera  <rkumpera@novell.com>
+
+	* metadata-verify.c (decode_signature_header): Do proper
+	overflow checking.
 
 Tue Apr 13 12:36:29 CEST 2010 Paolo Molaro <lupus@ximian.com>
 
diff --git a/mono/metadata/metadata-verify.c b/mono/metadata/metadata-verify.c
index 0ffb428a9..fa657a770 100644
--- a/mono/metadata/metadata-verify.c
+++ b/mono/metadata/metadata-verify.c
@@ -1132,14 +1132,16 @@ decode_signature_header (VerifyContext *ctx, guint32 offset, int *size, const ch
 	if (!decode_value (blob.data + offset, blob.size - offset, &value, &enc_size))
 		return FALSE;
 
-	if (offset + enc_size + value < offset)
+	if (CHECK_ADD4_OVERFLOW_UN (offset, enc_size))
 		return FALSE;
 
-	if (offset + enc_size + value > blob.size)
+	offset += enc_size;
+
+	if (ADD_IS_GREATER_OR_OVF (offset, value, blob.size))
 		return FALSE;
 
 	*size = value;
-	*first_byte = blob.data + offset + enc_size;
+	*first_byte = blob.data + offset;
 	return TRUE;
 }
 
-- 
2.11.4.GIT