From 8aab8caff1ae63757ccc4aed4ded99e3003d0878 Mon Sep 17 00:00:00 2001
From: Andy McFadden <fadden@fadden.com>
Date: Sat, 2 Dec 2006 20:05:56 +0000
Subject: [PATCH] Test for buffer overrun when unpacking RLE.

---
 nufxlib-0/Lzw.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nufxlib-0/Lzw.c b/nufxlib-0/Lzw.c
index 71abd3b..8b0235f 100644
--- a/nufxlib-0/Lzw.c
+++ b/nufxlib-0/Lzw.c
@@ -1248,6 +1248,11 @@ Nu_ExpandRLE(LZWExpandState* lzwState, const uchar* inbuf,
         if (uch == rleEscape) {
             uch = *inbuf++;
             count = *inbuf++;
+            if (outbuf + count >= outbufend) {
+                /* don't overrun buffer */
+                Assert(outbuf != outbufend);
+                break;
+            }
             while (count-- >= 0)
                 *outbuf++ = uch;
         } else {