diff --git a/src/liblzma/common/stream_buffer_decoder.c b/src/liblzma/common/stream_buffer_decoder.c index 2418e420..aef2b982 100644 --- a/src/liblzma/common/stream_buffer_decoder.c +++ b/src/liblzma/common/stream_buffer_decoder.c @@ -26,6 +26,13 @@ lzma_stream_buffer_decode(uint64_t *memlimit, uint32_t flags, const uint8_t *in, size_t *in_pos, size_t in_size, uint8_t *out, size_t *out_pos, size_t out_size) { + // Sanity checks + if (in_pos == NULL || (in == NULL && *in_pos != in_size) + || *in_pos > in_size || out_pos == NULL + || (out == NULL && *out_pos != out_size) + || *out_pos > out_size) + return LZMA_PROG_ERROR; + // Catch flags that are not allowed in buffer-to-buffer decoding. if (flags & LZMA_TELL_ANY_CHECK) return LZMA_PROG_ERROR;