Compute the "safe" distance properly

The safe pointer that is computed is an exclusive, not inclusive bounds.
While we were probably rarely ever bit this, if ever, it still makes
sense to apply the limit, properly.

diff --git a/inffast_tpl.h b/inffast_tpl.h
index c8f478675437ced464d706ba3461b2dff20b07c0..2600dd5a220ef125bd2f28b65df3cdac57c67d7d 100644 (file)
--- a/inffast_tpl.h
+++ b/inffast_tpl.h
@@ -260,7 +260,7 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) {
                     if (dist >= len || dist >= state->chunksize)
                         out = chunkcopy_safe(out, out - dist, len, safe);
                     else
-                        out = CHUNKMEMSET_SAFE(out, dist, len, (unsigned)((safe - out) + 1));
+                        out = CHUNKMEMSET_SAFE(out, dist, len, (unsigned)((safe - out)));
                 } else {
                     /* Whole reference is in range of current output.  No range checks are
                        necessary because we start with room for at least 258 bytes of output,