From d544852ff61bddbbf3d2095f18ba30d9562487f2 Mon Sep 17 00:00:00 2001
From: Petri Lehtinen <petri@digip.org>
Date: Tue, 15 Oct 2013 08:44:04 +0300
Subject: [PATCH] Avoid integer overflows with very long strings

---
 src/hashtable.c | 7 +++++++
 src/utf.c       | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/hashtable.c b/src/hashtable.c
index 5fb0467..0af8cee 100644
--- a/src/hashtable.c
+++ b/src/hashtable.c
@@ -249,6 +249,13 @@ int hashtable_set(hashtable_t *hashtable,
         /* offsetof(...) returns the size of pair_t without the last,
            flexible member. This way, the correct amount is
            allocated. */
+
+        size_t len = strlen(key);
+        if(len > (size_t)-1 - offsetof(pair_t, key)) {
+            /* Avoid an overflow if the key is very long */
+            return -1;
+        }
+
         pair = jsonp_malloc(offsetof(pair_t, key) + strlen(key) + 1);
         if(!pair)
             return -1;
diff --git a/src/utf.c b/src/utf.c
index 0a2ba9b..cbeeb54 100644
--- a/src/utf.c
+++ b/src/utf.c
@@ -173,7 +173,7 @@ int utf8_check_string(const char *string, size_t length)
             return 0;
         else if(count > 1)
         {
-            if(i + count > length)
+            if(count > length - i)
                 return 0;
 
             if(!utf8_check_full(&string[i], count, NULL))