Fix an integer overflow in buffer_get_data().

Thanks to Orange Labs for the report.

libssh/buffer.c

@@ -339,8 +339,13 @@ uint32_t buffer_pass_bytes_end(struct ssh_buffer_struct *buffer, uint32_t len){
  * \returns len otherwise.
  */
 uint32_t buffer_get_data(struct ssh_buffer_struct *buffer, void *data, uint32_t len){
-    if(buffer->pos+len>buffer->used)
-        return 0;  /*no enough data in buffer */
+    /*
+     * Check for a integer overflow first, then check if not enough data is in
+     * the buffer.
+     */
+    if (buffer->pos + len < len || buffer->pos + len > buffer->used) {
+      return 0;
+    }
     memcpy(data,buffer->data+buffer->pos,len);
     buffer->pos+=len;
     return len;   /* no yet support for partial reads (is it really needed ?? ) */