From ec30a5e9ec703afb8abefba757c6d401303b53db Mon Sep 17 00:00:00 2001
From: Steven Siloti <ssiloti@gmail.com>
Date: Fri, 23 Jun 2017 21:19:31 -0700
Subject: [PATCH] fix out-of-bounds read in bdecode

Fixes #2099
---
 src/bdecode.cpp       | 1 +
 test/test_bdecode.cpp | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/bdecode.cpp b/src/bdecode.cpp
index fb366cb72..cd6fe914b 100644
--- a/src/bdecode.cpp
+++ b/src/bdecode.cpp
@@ -839,6 +839,7 @@ namespace libtorrent
 					boost::int64_t len = t - '0';
 					char const* str_start = start;
 					++start;
+					if (start >= end) TORRENT_FAIL_BDECODE(bdecode_errors::unexpected_eof);
 					bdecode_errors::error_code_enum e = bdecode_errors::no_error;
 					start = parse_int(start, end, ':', len, e);
 					if (e)
diff --git a/test/test_bdecode.cpp b/test/test_bdecode.cpp
index fd5f0a5fc..cf4ef0857 100644
--- a/test/test_bdecode.cpp
+++ b/test/test_bdecode.cpp
@@ -459,10 +459,10 @@ TORRENT_TEST(unepected_eof)
 	printf("%s\n", print_entry(e).c_str());
 }
 
-// test unexpected EOF (really expected terminator)
+// test unexpected EOF in string length
 TORRENT_TEST(unepected_eof2)
 {
-	char b[] = "l2:..0"; // expected terminating 'e' instead of '0'
+	char b[] = "l2:..0"; // expected ':' delimiter instead of EOF
 
 	bdecode_node e;
 	error_code ec;
@@ -470,7 +470,7 @@ TORRENT_TEST(unepected_eof2)
 	int ret = bdecode(b, b + sizeof(b)-1, e, ec, &pos);
 	TEST_EQUAL(ret, -1);
 	TEST_EQUAL(pos, 6);
-	TEST_EQUAL(ec, error_code(bdecode_errors::expected_colon));
+	TEST_EQUAL(ec, error_code(bdecode_errors::unexpected_eof));
 	printf("%s\n", print_entry(e).c_str());
 }