From 6b1eec0630516698ac9cd3343ef7eb8515fee231 Mon Sep 17 00:00:00 2001
From: Jakub Adam <jakub.adam@collabora.com>
Date: Thu, 3 Jan 2019 21:26:41 +0100
Subject: udp-turn: Avoid potential integer overflow

---
 socket/udp-turn.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/socket/udp-turn.c b/socket/udp-turn.c
index 1bc5e03..c3b152d 100644
--- a/socket/udp-turn.c
+++ b/socket/udp-turn.c
@@ -362,7 +362,7 @@ socket_recv_messages (NiceSocket *sock,
     guint f_buffer_len = priv->fragment_buffer->len;
 
     for (i = 0; i < n_recv_messages && f_buffer_len >= sizeof (guint16); ++i) {
-      guint16 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16);
+      guint32 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16);
 
       if (msg_len > f_buffer_len) {
         /* The next message in the buffer isn't complete yet. Wait for more
@@ -450,7 +450,7 @@ socket_recv_messages (NiceSocket *sock,
     if (nice_socket_is_reliable (sock) && parsed_buffer_length > 0) {
       /* Determine the portion of the current NiceInputMessage we can already
        * return. */
-      guint16 msg_len = 0;
+      gint32 msg_len = 0;
       if (!priv->fragment_buffer) {
         msg_len = ((buffer[0] << 8) | buffer[1]) + sizeof (guint16);
         if (msg_len > parsed_buffer_length) {
-- 
cgit v1.2.1