From 1829fd18c9626254c266b87212715dae7cedc5fb Mon Sep 17 00:00:00 2001 From: Jonathan Dieter Date: Tue, 4 Apr 2023 21:08:50 +0100 Subject: [PATCH] Fix read off-by-one bug in compressed int function A malformed compressed integer would cause unzck to read one byte past the end of the allocated memory. This commit fixes this bug. Thanks to Agostino Sarubbo of Gentoo for providing a bug report with a reproducible test case. Signed-off-by: Jonathan Dieter --- src/lib/compint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/compint.c b/src/lib/compint.c index d3f491e..5178559 100644 --- a/src/lib/compint.c +++ b/src/lib/compint.c @@ -68,7 +68,7 @@ int compint_to_size(zckCtx *zck, size_t *val, const char *compint, break; i++; /* Make sure we're not overflowing and fail if we do */ - if(count > MAX_COMP_SIZE || count > max_length || *val < old_val) { + if(count >= MAX_COMP_SIZE || count >= max_length || *val < old_val) { if(count > max_length) set_fatal_error(zck, "Read past end of header"); else -- 2.30.2