From 6459633725d1c7d028c3f8e47348d89f5582b0c4 Mon Sep 17 00:00:00 2001
From: Sylvain Rabot <sylvain@abstraction.fr>
Date: Tue, 25 Feb 2025 17:23:44 +0100
Subject: [PATCH] Fix int overflow in parser

A maliciously crafted message with a bogus body length could make the
parser panic if the body length is closed to the int limit.

Fixes https://github.com/quickfixgo/quickfix/issues/678

Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
---
 parser.go      | 5 ++++-
 parser_test.go | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/parser.go b/parser.go
index a3ec73993..3de338531 100644
--- a/parser.go
+++ b/parser.go
@@ -132,7 +132,10 @@ func (p *parser) jumpLength() (int, error) {
 		return length, err
 	}
 
-	if length <= 0 {
+	// Issue 678: if length approaches the int limit, it might overflow when
+	// adding offset and make it negative so we also need to check that
+	// offset+length is not negative.
+	if length <= 0 || offset+length <= 0 {
 		return length, errors.New("Invalid length")
 	}
 
diff --git a/parser_test.go b/parser_test.go
index 34bca808d..480ac4da8 100644
--- a/parser_test.go
+++ b/parser_test.go
@@ -186,3 +186,9 @@ func (s *ParserSuite) TestReadMessageGrowBuffer() {
 		s.Equal(tc.expectedBufferLen, len(s.parser.buffer))
 	}
 }
+
+// https://github.com/quickfixgo/quickfix/issues/678
+func TestIssue678(t *testing.T) {
+	parser := newParser(strings.NewReader(string("8=\x019=119999999999999999999999999999999999999999999999999999999999970\x01")))
+	_, _ = parser.ReadMessage()
+}