heap-buffer overread of 1 byte caused by off-by-one error in COBS encoder #10
Description
While setting up fuzz testing for some parts of outpost-core, I stumbled upon a bug in the cobs encoder algorithm.
Our fuzzer found a buffer overread of size one in the while loop starting in line 118.
During the loops, the position variable will be increased up to mLength which is the size of the input data. On the last iteration, position will be at mLength, meaning that in the case of an input array mData with length n, mData[n] will be read, which does not belong to the buffer.
I will create a pull request with a fix in a second.
Best regards,
Christian Hartlage
Security Engineer @code-intelligence-gmbh