library/addisco.c has several comparison like the check in this function:
static unsigned short
get_16 (unsigned char **p,
unsigned char *end)
unsigned short val;
if ((*p) + 2 > end)
val = ns_get16 (*p);
(*p) += 2;
The problem is that a pointer that points after the element after the last element in the buffer is invalid. Depending on how this function is call, a smart compiler could optimize away such checks.
The comparison should be written like this:
if (end - (*p) < 2)
Created attachment 120278 [details] [review]
Fix for the buffer length checks
Please consider this patch as a fix for the ticket,
Thanks! Merged into git master.