From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001
From: Konstanty Bialkowski <konstanty@ieee.org>
Date: Wed, 14 Aug 2013 14:15:27 +1000
Subject: [PATCH] CVE-2013-4233 Fix

Integer overflow in j variable

-- reported by Florian "Agix" Gaultier
---
 libmodplug/src/load_abc.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
index 9f4b328..ecb7b62 100644
--- a/libmodplug/src/load_abc.cpp
+++ b/libmodplug/src/load_abc.cpp
@@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice)
 
 static void	abc_set_parts(char **d, char *p)
 {
-	int i,j,k,m,n;
+	int i,j,k,m,n,size;
 	char *q;
 #ifdef NEWMIKMOD
 	static MM_ALLOC *h;
@@ -1852,10 +1852,11 @@ static void	abc_set_parts(char **d, char *p)
 			i += n-1;
 		}
 	}
-	q = (char *)_mm_calloc(h, j+1, sizeof(char));	// enough storage for the worst case
+	size = (j + 1) > 0 ? j+1 : j;
+	q = (char *)_mm_calloc(h, size, sizeof(char));	// enough storage for the worst case
 	// now copy bytes from p to *d, taking parens and digits in account
 	j = 0;
-	for( i=0; p[i] && p[i] != '%'; i++ ) {
+	for( i=0; p[i] && p[i] != '%' && j < size; i++ ) {
 		if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) {
 			if( p[i] == ')' ) {
 				for( n=j; n > 0 && q[n-1] != '('; n-- )	;	// find open paren in q
-- 
1.8.4