From 2c4c47ae0f85bb5ed22aa93201328da7f29d9153 Mon Sep 17 00:00:00 2001
From: Cedric BAIL <cedric.bail@free.fr>
Date: Wed, 30 May 2012 02:19:07 +0000
Subject: [PATCH] eet: properly check buffer size during decipher.

Fix bug #1017.


SVN revision: 71524
---
 legacy/eet/ChangeLog            | 4 ++++
 legacy/eet/NEWS                 | 1 +
 legacy/eet/src/lib/eet_cipher.c | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/legacy/eet/ChangeLog b/legacy/eet/ChangeLog
index 9df47e5991..c862049930 100644
--- a/legacy/eet/ChangeLog
+++ b/legacy/eet/ChangeLog
@@ -594,3 +594,7 @@
 2012-05-15  Cedric Bail
 
 	* Make eet_dictionary thread safe.
+
+2012-05-30  Cedric Bail
+
+	* Check that gnutls and openssl don't return below zero size during decipher.
diff --git a/legacy/eet/NEWS b/legacy/eet/NEWS
index 5d11d3ee9d..f7da97e26e 100644
--- a/legacy/eet/NEWS
+++ b/legacy/eet/NEWS
@@ -6,6 +6,7 @@ Changes since Eet 1.6.0:
 Fixes:
     * Force destruction of all pending file when shuting down eet.
     * Make eet_dictionary thread safe.
+    * Check that gnutls and openssl don't return below zero size during decipher.
 
 Eet 1.6.0
 
diff --git a/legacy/eet/src/lib/eet_cipher.c b/legacy/eet/src/lib/eet_cipher.c
index 2425e22293..9441d8c562 100644
--- a/legacy/eet/src/lib/eet_cipher.c
+++ b/legacy/eet/src/lib/eet_cipher.c
@@ -1219,7 +1219,7 @@ eet_decipher(const void   *data,
    /* Get the decrypted data size */
    tmp = *ret;
    tmp = ntohl(tmp);
-   if (tmp > tmp_len)
+   if (tmp > tmp_len || tmp <= 0)
      goto on_error;
 
    /* Update the return values */