Fix read off-by-one bug in compressed int function

A malformed compressed integer would cause unzck to read one byte past the
end of the allocated memory.  This commit fixes this bug.  Thanks to
Agostino Sarubbo of Gentoo for providing a bug report with a reproducible
test case.

Signed-off-by: Jonathan Dieter <jdieter@gmail.com>

diff --git a/src/lib/compint.c b/src/lib/compint.c
index d3f491ead81b78d37f7761eafcbf6edadcaeaff7..517855936790999e1c592a3d46df8255ebaeb6b9 100644 (file)
--- a/src/lib/compint.c
+++ b/src/lib/compint.c
@@ -68,7 +68,7 @@ int compint_to_size(zckCtx *zck, size_t *val, const char *compint,
             break;
         i++;
         /* Make sure we're not overflowing and fail if we do */
-        if(count > MAX_COMP_SIZE || count > max_length || *val < old_val) {
+        if(count >= MAX_COMP_SIZE || count >= max_length || *val < old_val) {
             if(count > max_length)
                 set_fatal_error(zck, "Read past end of header");
             else