X-Git-Url: https://git.draconx.ca/gitweb/upkg.git/blobdiff_plain/1f5b72d49e29a126b35385a6277b411b1f97fbf5..4165687b9036344270342acae34fe5086b0bf949:/src/engine/music.gob

diff --git a/src/engine/music.gob b/src/engine/music.gob
index 879e0ad..f0bde09 100644
--- a/src/engine/music.gob
+++ b/src/engine/music.gob
@@ -108,8 +108,7 @@ class Engine:Music from U:Object (dynamic)
 	override (U:Object) int deserialize(U:Object *uo)
 	{
 		struct upkg_file *f = uo->pkg_file;
-		Self *self = SELF(uo);
-		size_t rc, pos, buflen;
+		size_t rc, pos = 0, buflen;
 		unsigned char buf[32];
 		long size;
 
@@ -122,7 +121,7 @@ class Engine:Music from U:Object (dynamic)
 			return -1;
 		pos += 1;
 
-		if (uo->pkg->version > 61) {
+		if (f->pkg->version > 61) {
 			/* Unknown field #2 */
 			if (buflen - pos < 4)
 				return -1;
@@ -130,7 +129,7 @@ class Engine:Music from U:Object (dynamic)
 		}
 
 		rc = upkg_decode_index(&size, buf+pos, buflen-pos);
-		if (rc == 0 || size < 0)
+		if (rc == 0 || size < 0 || size > f->len - pos)
 			return -1;
 		pos += rc;