2 files changed, 7 insertions, 3 deletions

diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
index fb51996ab..a089c65d8 100644
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -2374,6 +2374,7 @@ static char *callstate2str(int ind)
 static int transmit_response_bysession(struct skinnysession *s, struct skinny_req *req)
 {
 	int res = 0;
+	unsigned long len;
 
 	if (!s) {
 		ast_log(LOG_WARNING, "Asked to transmit to a non-existent session!\n");
@@ -2382,7 +2383,10 @@ static int transmit_response_bysession(struct skinnysession *s, struct skinny_re
 
 	ast_mutex_lock(&s->lock);
 
-	if ((letohl(req->len) > SKINNY_MAX_PACKET) || (letohl(req->len) < 0)) {
+	/* Don't optimize out assigning letohl() to len. It is necessary to guarantee that the comparison will always catch invalid values.
+	 * letohl() may or may not return a signed value depending upon which definition is used. */
+	len = letohl(req->len);
+	if (SKINNY_MAX_PACKET < len) {
 		ast_log(LOG_WARNING, "transmit_response: the length of the request (%u) is out of bounds (%d)\n", letohl(req->len), SKINNY_MAX_PACKET);
 		ast_mutex_unlock(&s->lock);
 		return -1;
diff --git a/channels/pjsip/dialplan_functions.c b/channels/pjsip/dialplan_functions.c
index 567cd59ee..9c5245648 100644
--- a/channels/pjsip/dialplan_functions.c
+++ b/channels/pjsip/dialplan_functions.c
@@ -866,11 +866,11 @@ static int media_offer_read_av(struct ast_sip_session *session, char *buf,
 
 		/* add one since we'll include a comma */
 		size = strlen(ast_format_get_name(fmt)) + 1;
-		len -= size;
-		if ((len) < 0) {
+		if (len < size) {
 			ao2_ref(fmt, -1);
 			break;
 		}
+		len -= size;
 
 		/* no reason to use strncat here since we have already ensured buf has
                    enough space, so strcat can be safely used */