From 2fdbf0f7d59efc2a4812402d0794711d99704760 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Wed, 17 Apr 2019 23:40:11 +0200
Subject: [PATCH] fix malformed packet

---
 parser.js |  1 +
 test.js   | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/parser.js b/parser.js
index b9ac7b8..a476f21 100644
--- a/parser.js
+++ b/parser.js
@@ -302,6 +302,7 @@ Parser.prototype._parseSubscribe = function () {
     // Parse topic
     topic = this._parseString()
     if (topic === null) return this._emitError(new Error('Cannot parse topic'))
+    if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload'))
 
     options = this._parseByte()
     qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK
diff --git a/test.js b/test.js
index c87cfec..a86e9be 100644
--- a/test.js
+++ b/test.js
@@ -1839,6 +1839,17 @@ testParseError('Not supported auth packet for this version MQTT', Buffer.from([
   38, 0, 4, 116, 101, 115, 116, 0, 4, 116, 101, 115, 116 // userProperties
 ]))
 
+// When a Subscribe packet contains a topic_filter and the given
+// length is topic_filter.length + 1 then the last byte (requested QoS) is interpreted as topic_filter
+// reading the requested_qos at the end causes 'Index out of range' read
+testParseError('Malformed Subscribe Payload', Buffer.from([
+  130, 14, // subscribe header and remaining length
+  0, 123,  // packet ID
+  0, 10,   // topic filter length
+  104, 105, 106, 107, 108, 47, 109, 110, 111,  // topic filter with length of 9 bytes
+  0       // requested QoS
+]))
+
 test('stops parsing after first error', function (t) {
   t.plan(4)