Fix off-by-one length check error in sexp parser.

author Niels Möller <nisse@lysator.liu.se>

Wed, 17 Dec 2025 13:08:49 +0000 (14:08 +0100)

committer Niels Möller <nisse@lysator.liu.se>

Wed, 17 Dec 2025 13:37:23 +0000 (14:37 +0100)
author Niels Möller <nisse@lysator.liu.se>
Wed, 17 Dec 2025 13:08:49 +0000 (14:08 +0100)
committer Niels Möller <nisse@lysator.liu.se>
Wed, 17 Dec 2025 13:37:23 +0000 (14:37 +0100)
diff --git a/ChangeLog b/ChangeLog

index b9b787dc72e85c26261235c1daaed01df6df31a8..203d5f9f314020cd0c67529542764fdba24b6ba2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2025-12-17  Niels Möller  <nisse@lysator.liu.se>
+
+       * sexp.c (sexp_iterator_simple): Fix off-by-one error in length
+       check. Reported via oss-fuzz.
+
  2025-12-15  Niels Möller  <nisse@lysator.liu.se>
  
         * base16-decode.c (base16_decode_update): Fix returned value on
diff --git a/sexp.c b/sexp.c

index eb8da63306b59873302e2564558e73aad26f1d4f..3ef4b6bcea2d23c60657341f1c3184db17e24205 100644 (file)
--- a/sexp.c
+++ b/sexp.c
@@ -79,7 +79,8 @@ sexp_iterator_simple(struct sexp_iterator *iterator,
      do
        {
         length = length * 10 + (c - '0');
-       if (length > (iterator->length - iterator->pos))
+       /* >= to account for ':' character */
+       if (length >= (iterator->length - iterator->pos))
           return 0;
  
         if (EMPTY(iterator)) return 0;
author	Niels Möller <nisse@lysator.liu.se>
	Wed, 17 Dec 2025 13:08:49 +0000 (14:08 +0100)
committer	Niels Möller <nisse@lysator.liu.se>
	Wed, 17 Dec 2025 13:37:23 +0000 (14:37 +0100)
ChangeLog		patch \| blob \| blame \| history
sexp.c		patch \| blob \| blame \| history