main/zeromq/CVE-2019-6250.patch


1
2
3
4
5
6
7
8
9
10
11
12
13

diff --git a/src/v2_decoder.cpp b/src/v2_decoder.cpp
index 839be9a..37889bd 100644
--- a/src/v2_decoder.cpp
+++ b/src/v2_decoder.cpp
@@ -116,7 +116,7 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size,
 
     if (unlikely (
           !zero_copy
-          || ((unsigned char *) read_pos + msg_size > (data () + size ())))) {
+          || (msg_size > (size_t) (data () + size () - read_pos)))) {
         // a new message has started, but the size would exceed the pre-allocated arena
         // this happens every time when a message does not fit completely into the buffer
         rc = in_progress.init_size (static_cast<size_t> (msg_size));