From 827d1ff11eaf5019fb4bf292d72cd1e19781b878 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 13 Feb 2018 09:27:42 -0800
Subject: [PATCH] binpac: Fix integer overflow in binpac generated code.

The issue is that t_begin_of_data + %s can sometimes overflow.

Bug reported and patch proposed by
Philippe Antoine <p.antoine@catenacyber.fr> from Catena cyber.
---
 tools/binpac/src/pac_array.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/binpac/src/pac_array.cc b/tools/binpac/src/pac_array.cc
index 1d38011780..eb03dd5597 100644
--- a/tools/binpac/src/pac_array.cc
+++ b/tools/binpac/src/pac_array.cc
@@ -280,8 +280,8 @@ void ArrayType::GenArrayLength(Output *out_cc, Env *env, const DataPtr& data)
 
 		// Check for overlong array length. We cap it at the
 		// maximum data size as we won't store more elements.
-		out_cc->println("if ( t_begin_of_data + %s > t_end_of_data + 1 )",
-			env->LValue(arraylength_var()));
+		out_cc->println("if ( t_begin_of_data + %s > t_end_of_data + 1 || t_begin_of_data + %s < t_begin_of_data )",
+			env->LValue(arraylength_var()), env->LValue(arraylength_var()));
 		out_cc->inc_indent();
 		out_cc->println("{");
 		out_cc->println("%s = t_end_of_data - t_begin_of_data + 1;",