$OpenBSD: patch-src_load_med_cpp,v 1.1 2011/05/05 21:25:48 jasper Exp $

Fixed various possible integer overflows in CSoundFile::ReadMed()
From upstream git: ce87da55599421e851a5b13492b753defba17349

--- src/load_med.cpp.orig	Mon May 11 10:21:30 2009
+++ src/load_med.cpp	Thu May  5 23:21:15 2011
@@ -664,7 +664,7 @@ BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD d
 				const MMD2PLAYSEQ *pmps = (MMD2PLAYSEQ *)(lpStream + pseq);
 				if (!m_szNames[0][0]) memcpy(m_szNames[0], pmps->name, 31);
 				UINT n = bswapBE16(pmps->length);
-				if (pseq+n <= dwMemLength)
+				if (n < (dwMemLength - (pseq + sizeof(*pmps)) + sizeof(pmps->seq)) / sizeof(pmps->seq[0]))
 				{
 					for (UINT i=0; i<n; i++)
 					{
@@ -745,7 +745,7 @@ BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD d
 				DWORD trktagofs = bswapBE32(ptrktags[i]);
 				if (trktagofs)
 				{
-					while (trktagofs+8 < dwMemLength)
+					while (trktagofs < dwMemLength - 8)
 					{
 						DWORD ntag = bswapBE32(*(DWORD *)(lpStream + trktagofs));
 						if (ntag == MMDTAG_END) break;
@@ -758,7 +758,7 @@ BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD d
 						trktagofs += 8;
 					}
 					if (trknamelen > MAX_CHANNELNAME) trknamelen = MAX_CHANNELNAME;
-					if ((trknameofs) && (trknameofs + trknamelen < dwMemLength))
+					if ((trknameofs) && (trknamelen < dwMemLength) && (trknameofs < dwMemLength - trknamelen))
 					{
 						lstrcpyn(ChnSettings[i].szName, (LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME);
 						ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0';
