From: Niels Möller Date: Wed, 17 Dec 2025 13:08:49 +0000 (+0100) Subject: Fix off-by-one length check error in sexp parser. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;p=thirdparty%2Fnettle.git Fix off-by-one length check error in sexp parser. --- diff --git a/ChangeLog b/ChangeLog index b9b787dc..203d5f9f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2025-12-17 Niels Möller + + * sexp.c (sexp_iterator_simple): Fix off-by-one error in length + check. Reported via oss-fuzz. + 2025-12-15 Niels Möller * base16-decode.c (base16_decode_update): Fix returned value on diff --git a/sexp.c b/sexp.c index eb8da633..3ef4b6bc 100644 --- a/sexp.c +++ b/sexp.c @@ -79,7 +79,8 @@ sexp_iterator_simple(struct sexp_iterator *iterator, do { length = length * 10 + (c - '0'); - if (length > (iterator->length - iterator->pos)) + /* >= to account for ':' character */ + if (length >= (iterator->length - iterator->pos)) return 0; if (EMPTY(iterator)) return 0;