From 4a540a4fb7b148a8d7d32a8b5434fc51e5dd6bcd Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon, 1 Jun 2026 15:25:32 +0200
Subject: [PATCH] BUG/MINOR: mux-spop: Fix possible off-by-one OOB read in
 spop_get_varint()

In spop_get_varint(), -1 is returned if there is not enough data in the
buffer to decode the variable integer. However a strict comparison agasint
b_data() was performed, which is wrong. A failure must be reported if the
index is greater or equal to b_data().

This patch must be backported as far as 3.2.
---
 src/mux_spop.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/mux_spop.c b/src/mux_spop.c
index df2ca5f62..840fa3c9f 100644
--- a/src/mux_spop.c
+++ b/src/mux_spop.c
@@ -1033,7 +1033,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
 	size_t idx = o;
 	int r;
 
-	if (idx > b_data(b))
+	if (idx >= b_data(b))
 		return -1;
 
 	p = (unsigned char *)b_peek(b, idx++);
@@ -1043,7 +1043,7 @@ static __maybe_unused int spop_get_varint(const struct buffer *b, int o, uint64_
 
 	r = 4;
 	do {
-		if (idx > b_data(b))
+		if (idx >= b_data(b))
 			return -1;
 		p = (unsigned char *)b_peek(b, idx++);
 		*i += (uint64_t)*p << r;