$OpenBSD: patch-src_load_it_cpp,v 1.1 2011/05/05 21:25:48 jasper Exp $

Fixed various possible integer overflows in CSoundFile::ReadIT().
From upstream git: 89dd2ff3f4463a5c657767cee81fa62dff7f70eb

--- src/load_it.cpp.orig	Sun May 10 05:05:27 2009
+++ src/load_it.cpp	Thu May  5 23:19:10 2011
@@ -216,7 +216,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
 	}
 	if (m_nChannels < 4) m_nChannels = 4;
 	// Reading Song Message
-	if ((pifh.special & 0x01) && (pifh.msglength) && (pifh.msgoffset + pifh.msglength < dwMemLength))
+	if ((pifh.special & 0x01) && (pifh.msglength) && (pifh.msglength <= dwMemLength) && (pifh.msgoffset < dwMemLength - pifh.msglength))
 	{
 		m_lpszSongComments = new char[pifh.msglength+1];
 		if (m_lpszSongComments)
@@ -325,11 +325,11 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
 	for (UINT patchk=0; patchk<npatterns; patchk++)
 	{
 		memset(chnmask, 0, sizeof(chnmask));
-		if ((!patpos[patchk]) || ((DWORD)patpos[patchk] + 4 >= dwMemLength)) continue;
+		if ((!patpos[patchk]) || ((DWORD)patpos[patchk] >= dwMemLength - 4)) continue;
 		UINT len = bswapLE16(*((WORD *)(lpStream+patpos[patchk])));
 		UINT rows = bswapLE16(*((WORD *)(lpStream+patpos[patchk]+2)));
 		if ((rows < 4) || (rows > 256)) continue;
-		if (patpos[patchk]+8+len > dwMemLength) continue;
+		if (8+len > dwMemLength || patpos[patchk] > dwMemLength - (8+len)) continue;
 		UINT i = 0;
 		const BYTE *p = lpStream+patpos[patchk]+8;
 		UINT nrow = 0;
@@ -383,7 +383,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
 	// Reading Samples
 	m_nSamples = pifh.smpnum;
 	if (m_nSamples >= MAX_SAMPLES) m_nSamples = MAX_SAMPLES-1;
-	for (UINT nsmp=0; nsmp<pifh.smpnum; nsmp++) if ((smppos[nsmp]) && (smppos[nsmp] + sizeof(ITSAMPLESTRUCT) <= dwMemLength))
+	for (UINT nsmp=0; nsmp<pifh.smpnum; nsmp++) if ((smppos[nsmp]) && (smppos[nsmp] <= dwMemLength - sizeof(ITSAMPLESTRUCT)))
 	{
 		ITSAMPLESTRUCT pis = *(ITSAMPLESTRUCT *)(lpStream+smppos[nsmp]);
 		pis.id = bswapLE32(pis.id);
@@ -450,7 +450,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
 	// Reading Patterns
 	for (UINT npat=0; npat<npatterns; npat++)
 	{
-		if ((!patpos[npat]) || ((DWORD)patpos[npat] + 4 >= dwMemLength))
+		if ((!patpos[npat]) || ((DWORD)patpos[npat] >= dwMemLength - 4))
 		{
 			PatternSize[npat] = 64;
 			Patterns[npat] = AllocatePattern(64, m_nChannels);
@@ -460,7 +460,7 @@ BOOL CSoundFile::ReadIT(const BYTE *lpStream, DWORD dw
 		UINT len = bswapLE16(*((WORD *)(lpStream+patpos[npat])));
 		UINT rows = bswapLE16(*((WORD *)(lpStream+patpos[npat]+2)));
 		if ((rows < 4) || (rows > 256)) continue;
-		if (patpos[npat]+8+len > dwMemLength) continue;
+		if (8+len > dwMemLength || patpos[npat] > dwMemLength - (8+len)) continue;
 		PatternSize[npat] = rows;
 		if ((Patterns[npat] = AllocatePattern(rows, m_nChannels)) == NULL) continue;
 		memset(lastvalue, 0, sizeof(lastvalue));
