Both fixed, thanks!
Petri
> diff --git a/src/utf.c b/src/utf.c
> index 0a2ba9b..cbeeb54 100644
> --- a/src/utf.c
> +++ b/src/utf.c
> @@ -173,7 +173,7 @@ int utf8_check_string(const char *string, size_t length)
> return 0;
> else if(count > 1)
> {
> - if(i + count > length)
> + if(count > length - i)
> return 0;
>
> if(!utf8_check_full(&string[i], count, NULL))
> diff --git a/src/hashtable.c b/src/hashtable.c
> index 5fb0467..a254cfa 100644
> --- a/src/hashtable.c
> +++ b/src/hashtable.c
> @@ -249,7 +249,14 @@ int hashtable_set(hashtable_t *hashtable,
> /* offsetof(...) returns the size of pair_t without the last,
> flexible member. This way, the correct amount is
> allocated. */
> - pair = jsonp_malloc(offsetof(pair_t, key) + strlen(key) + 1);
> +
> + size_t len = strlen(key);
> + if(len >= (size_t)-1 - offsetof(pair_t, key)) {
> + /* Avoid an overflow if the key is very long */
> + return -1;
> + }
> +
> + pair = jsonp_malloc(offsetof(pair_t, key) + len + 1);
> if(!pair)
> return -1;
>