From 2d217e66611b767b70634c5c9901a828ac00d690 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 5 Jul 2019 08:34:06 +0200
Subject: [PATCH] http: fixes overflow in range parsing

---
 src/app-layer-htp-file.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/app-layer-htp-file.c b/src/app-layer-htp-file.c
index a04196a74a..2f367daf7f 100644
--- a/src/app-layer-htp-file.c
+++ b/src/app-layer-htp-file.c
@@ -186,7 +186,7 @@ int HTPParseContentRange(bstr * rawvalue, HtpContentRange *range)
 
     if (data[pos] == '*') {
         // case with size only
-        if (len < pos + 1 || data[pos+1] != '/') {
+        if (len <= pos + 1 || data[pos+1] != '/') {
             range->size = -1;
             return -1;
         }
@@ -196,13 +196,13 @@ int HTPParseContentRange(bstr * rawvalue, HtpContentRange *range)
         // case with start and end
         range->start = bstr_util_mem_to_pint(data + pos, len - pos, 10, &last_pos);
         pos += last_pos;
-        if (len < pos + 1 || data[pos] != '-') {
+        if (len <= pos + 1 || data[pos] != '-') {
             return -1;
         }
         pos++;
         range->end = bstr_util_mem_to_pint(data + pos, len - pos, 10, &last_pos);
         pos += last_pos;
-        if (len < pos + 1 || data[pos] != '/') {
+        if (len <= pos + 1 || data[pos] != '/') {
             return -1;
         }
         pos++;
-- 
2.47.2