From da520c34b0d39ee388cba148d2b54819783949e2 Mon Sep 17 00:00:00 2001
From: Steven Morgan <smorgan@sourcefire.com>
Date: Wed, 13 Jul 2016 14:27:10 -0400
Subject: [PATCH] bb11601 - check array boundaries in unrarvm rarvm_getbits().

---
 libclamunrar/unrarvm.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
index 29944cbea..1cf5bb629 100644
--- a/libclamunrar/unrarvm.c
+++ b/libclamunrar/unrarvm.c
@@ -215,12 +215,15 @@ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input)
 {
 	unsigned int bit_field;
 
-	bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16;
-	bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
-	bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2];
-	bit_field >>= (8-rarvm_input->in_bit);
+	if (rarvm_input->in_addr+2 < rarvm_input->buf_size) {
+            bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16;
+            bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
+            bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2];
+            bit_field >>= (8-rarvm_input->in_bit);
 
-	return (bit_field & 0xffff);
+            return (bit_field & 0xffff);
+        }
+        return 0;
 }
 
 unsigned int rarvm_read_data(rarvm_input_t *rarvm_input)