Index: trunk/docs/Changelog
===================================================================
--- trunk/docs/Changelog	(revision 501)
+++ trunk/docs/Changelog	(revision 502)
@@ -1,5 +1,7 @@
 4.1.3:
+	* tighter sanity checks in sh_static.c
 	* fix regression with '--enable-static' in sh_static.c
-	  (reported by amaiket).
+	(reported by amaiket).
+
 4.1.2:
 	* add options --enable-selinux and --enable-posix-acl for "hard fail"
@@ -7,5 +9,6 @@
 	* fix wrong policy assignment when inotify is active and change occurs
 	during a reload (reported by Bond)
-	* fix failure to detect open UDP port for some daemons (reported by James)
+	* fix failure to detect open UDP port for some daemons
+	(reported by James)
 	* fix broken 'rpm' and 'rpm-light' makefile targets
 	(reported by Bond)
Index: trunk/src/sh_static.c
===================================================================
--- trunk/src/sh_static.c	(revision 501)
+++ trunk/src/sh_static.c	(revision 502)
@@ -1052,6 +1052,8 @@
 	if (!data)
 		return -1;
+	if ((offset < 0) || (offset > (PACKETSZ-1)))
+	        return -1;
 	while ((l=data[offset])) {
-	        if (offset < INT_MAX) offset++;
+	        if (offset < (PACKETSZ-1)) offset++;
 		else return -1;
 		if (measure)
@@ -1062,5 +1064,5 @@
 		        /* compressed item, redirect */ 
 			offset = ((l & 0x3f) << 8) | data[offset];
-			if (offset < 0)
+			if ((offset < 0) || (offset > (PACKETSZ-1)))
 			  return -1; 
 			measure = 0;
@@ -1076,5 +1078,5 @@
 		memcpy(dest + used, data + offset, l);
 		
-		if (offset <= (INT_MAX - l))
+		if (offset <= ((PACKETSZ-1) - l))
 		  offset += l;
 		else
@@ -1088,5 +1090,5 @@
 		  { if (total <= (INT_MAX -l)) total += l; else return -1; }
 
-		if (used == INT_MAX)
+		if (used >= maxlen)
 		  return -1;
 		if (data[offset] != 0)
@@ -1113,8 +1115,8 @@
 
 	i = __decode_dotted(message, offset, temp, sizeof(temp));
-	if (i < 0)
-		return i;
-
-	if (offset <= (INT_MAX - i))
+	if (i < 0 || i > PACKETSZ)
+		return -1;
+
+	if (offset <= ((PACKETSZ - 10) - i))
 	  message += offset + i;
 	else
@@ -1349,4 +1351,5 @@
 		}
 
+		/* ok because we have checked that recv at least HFIXEDSZ */
 		__decode_header(packet, &h);
 
@@ -1382,4 +1385,6 @@
 				goto again;
 			pos += i;
+			if (pos >= PACKETSZ)
+			        goto again;
 		}
 		DPRINTF("Decoding answer at pos %d\n", pos);
@@ -1400,4 +1405,6 @@
 		    free(a->dotted);
 		    pos += i;
+		    if (pos >= PACKETSZ)
+		            goto again;
 		}