From b1c5732fc8c89ee9217d0f54408f860565fa01f4 Mon Sep 17 00:00:00 2001
From: Mark Haines <mjark@negativecurvature.net>
Date: Mon, 23 May 2016 19:37:49 +0100
Subject: Fix bug in bounds check when parsing

---
 src/message.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/message.cpp b/src/message.cpp
index 1c93eb8..3be5234 100644
--- a/src/message.cpp
+++ b/src/message.cpp
@@ -133,7 +133,7 @@ static std::uint8_t const * decode(
         std::uint8_t const * len_start = pos;
         pos = varint_skip(pos, end);
         std::size_t len = varint_decode<std::size_t>(len_start, pos);
-        if (len + pos > end) return end;
+        if (len > std::size_t(end - pos)) return end;
         value = pos;
         value_length = len;
         pos += len;
@@ -154,7 +154,7 @@ static std::uint8_t const * skip_unknown(
             std::uint8_t const * len_start = pos;
             pos = varint_skip(pos, end);
             std::size_t len = varint_decode<std::size_t>(len_start, pos);
-            if (len + pos > end) return end;
+            if (len > std::size_t(end - pos)) return end;
             pos += len;
         } else {
             return end;
-- 
cgit v1.2.3