From 79d92ffee57365df5faac6d4e522327a51378810 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Wed, 17 Dec 2025 14:08:49 +0100
Subject: [PATCH] Fix off-by-one length check error in sexp parser.

---
 ChangeLog | 5 +++++
 sexp.c    | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b9b787dc..203d5f9f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2025-12-17  Niels Möller  <nisse@lysator.liu.se>
+
+	* sexp.c (sexp_iterator_simple): Fix off-by-one error in length
+	check. Reported via oss-fuzz.
+
 2025-12-15  Niels Möller  <nisse@lysator.liu.se>
 
 	* base16-decode.c (base16_decode_update): Fix returned value on
diff --git a/sexp.c b/sexp.c
index eb8da633..3ef4b6bc 100644
--- a/sexp.c
+++ b/sexp.c
@@ -79,7 +79,8 @@ sexp_iterator_simple(struct sexp_iterator *iterator,
     do
       {
 	length = length * 10 + (c - '0');
-	if (length > (iterator->length - iterator->pos))
+	/* >= to account for ':' character */
+	if (length >= (iterator->length - iterator->pos))
 	  return 0;
 
 	if (EMPTY(iterator)) return 0;
-- 
2.47.3