File 05-Fix-double-free.patch of Package ucl

From: John Reiser <jreiser@users.sourceforge.net>
Date: Mon, 27 Aug 2018 20:32:39 +0200
Subject: Fix double free (memory clobbered) bug visible in upx

Patch from https://github.com/upx/upx/issues/207
to fix a crash in upx occurring on malformed input.

The "m_len + 1" in

        fail(olen + (m_len + 1) > oend, UCL_E_OUTPUT_OVERRUN);

should match the "m_len + 1" in

         olen += m_len + 1;

because it is the number of increments of olen in the copy step:

            dst[olen++] = *m_pos++;
            do dst[olen++] = *m_pos++; while (--m_len > 0);

Bugs-Debian: https://bugs.debian.org/907426
---
 src/n2b_d.c | 2 +-
 src/n2e_d.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/n2b_d.c b/src/n2b_d.c
index 26b6ca5..2725c59 100644
--- a/src/n2b_d.c
+++ b/src/n2b_d.c
@@ -101,7 +101,7 @@
             m_len += 2;
         }
         m_len += (m_off > 0xd00);
-        fail(olen + m_len > oend, UCL_E_OUTPUT_OVERRUN);
+        fail(olen + m_len + 1> oend, UCL_E_OUTPUT_OVERRUN);
         fail(m_off > olen, UCL_E_LOOKBEHIND_OVERRUN);
 #ifdef TEST_OVERLAP
         olen += m_len + 1;
diff --git a/src/n2e_d.c b/src/n2e_d.c
index efddb49..d40059d 100644
--- a/src/n2e_d.c
+++ b/src/n2e_d.c
@@ -109,7 +109,7 @@
             m_len += 3;
         }
         m_len += (m_off > 0x500);
-        fail(olen + m_len > oend, UCL_E_OUTPUT_OVERRUN);
+        fail(olen + m_len + 1> oend, UCL_E_OUTPUT_OVERRUN);
         fail(m_off > olen, UCL_E_LOOKBEHIND_OVERRUN);
 #ifdef TEST_OVERLAP
         olen += m_len + 1;