===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sftp-common.c,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- src/usr.bin/ssh/sftp-common.c	2022/09/19 10:41:58	1.33
+++ src/usr.bin/ssh/sftp-common.c	2023/03/31 04:00:37	1.34
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-common.c,v 1.33 2022/09/19 10:41:58 djm Exp $ */
+/* $OpenBSD: sftp-common.c,v 1.34 2023/03/31 04:00:37 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Damien Miller.  All rights reserved.
@@ -132,6 +132,8 @@
 
 		if ((r = sshbuf_get_u32(b, &count)) != 0)
 			return r;
+		if (count > 0x100000)
+			return SSH_ERR_INVALID_FORMAT;
 		for (i = 0; i < count; i++) {
 			if ((r = sshbuf_get_cstring(b, &type, NULL)) != 0 ||
 			    (r = sshbuf_get_string(b, &data, &dlen)) != 0)