From: Jonathan Dieter <jdieter@gmail.com>
Date: Tue, 4 Apr 2023 20:08:50 +0000 (+0100)
Subject: Fix read off-by-one bug in compressed int function
X-Git-Tag: archive/raspbian/1.3.1+ds1-1+rpi1^2~5^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=1829fd18c9626254c266b87212715dae7cedc5fb;p=zchunk.git

Fix read off-by-one bug in compressed int function

A malformed compressed integer would cause unzck to read one byte past the
end of the allocated memory.  This commit fixes this bug.  Thanks to
Agostino Sarubbo of Gentoo for providing a bug report with a reproducible
test case.

Signed-off-by: Jonathan Dieter <jdieter@gmail.com>
---

diff --git a/src/lib/compint.c b/src/lib/compint.c
index d3f491e..5178559 100644
--- a/src/lib/compint.c
+++ b/src/lib/compint.c
@@ -68,7 +68,7 @@ int compint_to_size(zckCtx *zck, size_t *val, const char *compint,
             break;
         i++;
         /* Make sure we're not overflowing and fail if we do */
-        if(count > MAX_COMP_SIZE || count > max_length || *val < old_val) {
+        if(count >= MAX_COMP_SIZE || count >= max_length || *val < old_val) {
             if(count > max_length)
                 set_fatal_error(zck, "Read past end of header");
             else