From 9c61eefe0d717c525dbcbda3a5b3ffb51acc1687 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 18 May 2018 09:13:17 -0500
Subject: [PATCH] binpac: BIT-1829: fix &length suppressing boundary checks for
 array elements

It should only suppress the parsing-loop boundary check in the case
where array elaments are a single byte in length and thus covered by
the boundary check (generated as a result of &length) that is placed
before the parsing-loop.
---
 tools/binpac/src/pac_array.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tools/binpac/src/pac_array.cc b/tools/binpac/src/pac_array.cc
index eb03dd5597..7017389df9 100644
--- a/tools/binpac/src/pac_array.cc
+++ b/tools/binpac/src/pac_array.cc
@@ -683,6 +683,17 @@ int ArrayType::StaticSize(Env *env) const
 void ArrayType::SetBoundaryChecked()
 	{
 	Type::SetBoundaryChecked();
+
+	if ( attr_length_expr_ )
+		{
+		// When using &length on an array, only treat its elements as
+		// already-bounds-checked if they are a single byte in length.
+		if ( elemtype_->StaticSize(env()) == 1 )
+			elemtype_->SetBoundaryChecked();
+
+		return;
+		}
+
 	elemtype_->SetBoundaryChecked();
 	}