===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/gzsig/Attic/ssh2.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -c -r1.3 -r1.4
*** src/usr.bin/gzsig/Attic/ssh2.c	2009/07/12 18:04:03	1.3
--- src/usr.bin/gzsig/Attic/ssh2.c	2014/07/07 17:02:22	1.4
***************
*** 1,4 ****
! /* $OpenBSD: ssh2.c,v 1.3 2009/07/12 18:04:03 jsg Exp $ */
  /*
   * ssh2.c
   *
--- 1,4 ----
! /* $OpenBSD: ssh2.c,v 1.4 2014/07/07 17:02:22 bluhm Exp $ */
  /*
   * ssh2.c
   *
***************
*** 87,95 ****
  static int
  _read_int(struct iovec *iov, int *ival)
  {
! 	iov->iov_len -= 4;
! 	if (iov->iov_len < 0)
  		return (-1);
  	*ival = GET_32BIT((u_char *)iov->iov_base);
  	iov->iov_base = (u_char*)iov->iov_base + 4;
  
--- 87,95 ----
  static int
  _read_int(struct iovec *iov, int *ival)
  {
! 	if (iov->iov_len < 4)
  		return (-1);
+ 	iov->iov_len -= 4;
  	*ival = GET_32BIT((u_char *)iov->iov_base);
  	iov->iov_base = (u_char*)iov->iov_base + 4;
  
***************
*** 102,110 ****
  	if (_read_int(iov, len) < 0 || *len < 0)
  		return (-1);
  
! 	iov->iov_len -= *len;
! 	if (iov->iov_len < 0)
  		return (-1);
  
  	*buf = iov->iov_base;
  	iov->iov_base = (u_char*)iov->iov_base + *len;
--- 102,110 ----
  	if (_read_int(iov, len) < 0 || *len < 0)
  		return (-1);
  
! 	if (iov->iov_len < (size_t)*len)
  		return (-1);
+ 	iov->iov_len -= *len;
  
  	*buf = iov->iov_base;
  	iov->iov_base = (u_char*)iov->iov_base + *len;