From f31c9fb221ca61e1e2583f896a70469107c31310 Mon Sep 17 00:00:00 2001
From: Marc Hoersken <info@marc-hoersken.de>
Date: Mon, 15 Dec 2014 00:38:58 +0100
Subject: [PATCH] wincng.c: fix possible invalid memory write access

Fixes VS2012 code analysis warning C6386:
buffer overrun: accessing 'pbOutput', the writable size is
'cbOutput' bytes, but '3' bytes may be written: libssh2 wincng.c 610
---
 src/wincng.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/wincng.c b/src/wincng.c
index c8cb252..9c92e21 100644
--- a/src/wincng.c
+++ b/src/wincng.c
@@ -597,16 +597,17 @@ _libssh2_wincng_bn_ltob(unsigned char *pbInput,
     cbOutput = cbInput;
     if (pbInput[length] & (1 << 7)) {
         offset++;
-        cbOutput++;
+        cbOutput += offset;
     }
 
-    pbOutput = malloc(cbOutput);
+    pbOutput = (unsigned char *)malloc(cbOutput);
     if (!pbOutput) {
         return -1;
     }
 
     pbOutput[0] = 0;
-    for (index = 0; index < cbInput; index++) {
+    for (index = 0; ((index + offset) < cbOutput)
+                    && (index < cbInput); index++) {
         pbOutput[index + offset] = pbInput[length - index];
     }