commit b2f7af546d38b360167a7e30a795ea9f2e91ddf7
from: Stefan Sperling <stsp@stsp.name>
date: Sun Nov 11 10:40:53 2018 UTC

check for size_t overflow in got_delta_apply_in_mem()

like libgit2's c15771104 (delta: fix overflow when computing limit)

commit - 53509745676dbd3d9665b66f638ca74b1fdd5af1
commit + b2f7af546d38b360167a7e30a795ea9f2e91ddf7
blob - 9959137774da2dd00f419381147d0952d0d20785
blob + 40c9a34cc71199d0d450d917eecec341f671beec
--- lib/delta.c
+++ lib/delta.c
@@ -18,6 +18,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <zlib.h>
 #include <sha1.h>
@@ -287,7 +288,8 @@ got_delta_apply_in_mem(uint8_t *base_buf, size_t base_
 			err = parse_opcode(&offset, &len, &p, &remain);
 			if (err)
 				break;
-			if (base_bufsz < offset + len ||
+			if (SIZE_MAX - offset < len || offset + len < 0 ||
+			    base_bufsz < offset + len ||
 			    *outsize + len > maxoutsize)
 				return got_error(GOT_ERR_BAD_DELTA);
 			memcpy(outbuf + *outsize, base_buf + offset, len);
@@ -307,7 +309,8 @@ got_delta_apply_in_mem(uint8_t *base_buf, size_t base_
 			err = next_delta_byte(&p, &remain);
 			if (err)
 				break;
-			if (remain < len || *outsize + len > maxoutsize)
+			if (remain < len || SIZE_MAX - *outsize < len ||
+			    *outsize + len > maxoutsize)
 				return got_error(GOT_ERR_BAD_DELTA);
 			memcpy(outbuf + *outsize, p, len);
 			p += len;