From d99aae586ab60ef5dc34a4fcfc83c92fc195f4a7 Mon Sep 17 00:00:00 2001
From: Duncan Overbruck <mail@duncano.de>
Date: Mon, 10 Feb 2020 14:08:39 +0100
Subject: [PATCH] lib/download.c: fix digestlen assert and add if condition to
 avoid misuse

---
 lib/download.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/download.c b/lib/download.c
index ce8f2a79..b3dcc02d 100644
--- a/lib/download.c
+++ b/lib/download.c
@@ -111,8 +111,12 @@ xbps_fetch_file_dest_sha256(struct xbps_handle *xhp, const char *uri, const char
 	assert(xhp);
 	assert(uri);
 
-	if (digest) {
-		assert(digestlen != XBPS_SHA256_DIGEST_SIZE);
+	if (digest != NULL) {
+		assert(digestlen >= XBPS_SHA256_DIGEST_SIZE);
+		if (digestlen < XBPS_SHA256_DIGEST_SIZE) {
+			errno = ENOBUFS;
+			return -1;
+		}
 		SHA256_Init(&sha256);
 	}