Fix boundary checking in base-256 decoder

* src/list.c (from_header): Base-256 encoding is at least 2 bytes
long.

diff --git a/src/list.c b/src/list.c
index 9fafc425a824fae842ababe1ff0309a8c2016d01..86bcfdd1cc30cad5b4882a6745a435d28ab1ec82 100644 (file)
--- a/src/list.c
+++ b/src/list.c
@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
          where++;
        }
     }
-  else if (*where == '\200' /* positive base-256 */
-          || *where == '\377' /* negative base-256 */)
+  else if (where <= lim - 2
+          && (*where == '\200' /* positive base-256 */
+              || *where == '\377' /* negative base-256 */))
     {
       /* Parse base-256 output.  A nonnegative number N is
         represented as (256**DIGS)/2 + N; a negative number -N is