From 466fb0ff6b4ff1811168a393d079467eeb6c5d73 Mon Sep 17 00:00:00 2001
From: Jef Driesen <jefdriesen@users.sourceforge.net>
Date: Sun, 4 May 2014 22:37:21 +0200
Subject: [PATCH] Add more buffer overflow checks.

There are a few places left, where the contents of the buffer is
accessed without first inspecting the available length.
---
 src/hw_ostc_parser.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/hw_ostc_parser.c b/src/hw_ostc_parser.c
index b007377..5606631 100644
--- a/src/hw_ostc_parser.c
+++ b/src/hw_ostc_parser.c
@@ -563,6 +563,9 @@ hw_ostc_parser_samples_foreach (dc_parser_t *abstract, dc_sample_callback_t call
 		// Extended sample info.
 		for (unsigned int i = 0; i < nconfig; ++i) {
 			if (info[i].divisor && (nsamples % info[i].divisor) == 0) {
+				if (offset + info[i].size > size)
+					return DC_STATUS_DATAFORMAT;
+
 				unsigned int value = 0;
 				switch (info[i].type) {
 				case 0: // Temperature (0.1 °C).
@@ -620,7 +623,7 @@ hw_ostc_parser_samples_foreach (dc_parser_t *abstract, dc_sample_callback_t call
 		}
 	}
 
-	if (data[offset] != 0xFD || data[offset + 1] != 0xFD)
+	if (offset + 2 > size || data[offset] != 0xFD || data[offset + 1] != 0xFD)
 		return DC_STATUS_DATAFORMAT;
 
 	return DC_STATUS_SUCCESS;