From 876ed55d9b8d0c298b6cac1003ec365a19bf7aad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=E9d=E9ric=20L=E9caille?= <flecaille@haproxy.com>
Date: Thu, 2 Apr 2020 14:24:31 +0200
Subject: [PATCH] BUG/MINOR: protocol_buffer: Wrong maximum shifting.

This patch fixes a bad stop condition when decoding a protocol buffer variable integer
whose maximum lenghts are 10, shifting a uint64_t value by more than 63.

Thank you to Ilya for having reported this issue.

Must be backported to 2.1 and 2.0.
---
 include/proto/protocol_buffers.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/proto/protocol_buffers.h b/include/proto/protocol_buffers.h
index 69f0bdf81..0426d83d2 100644
--- a/include/proto/protocol_buffers.h
+++ b/include/proto/protocol_buffers.h
@@ -158,7 +158,7 @@ protobuf_varint(uint64_t *val, unsigned char *pos, size_t len)
 
 		shift += 7;
 		/* The maximum length in bytes of a 64-bit encoded value is 10. */
-		if (shift > 70)
+		if (shift > 63)
 			return 0;
 	}
 
@@ -194,7 +194,7 @@ protobuf_decode_varint(uint64_t *val, unsigned char **pos, size_t *len)
 
 		shift += 7;
 		/* The maximum length in bytes of a 64-bit encoded value is 10. */
-		if (shift > 70)
+		if (shift > 63)
 			return 0;
 	}
 
@@ -227,7 +227,7 @@ protobuf_skip_varint(unsigned char **pos, size_t *len, size_t vlen)
 
 		shift += 7;
 		/* The maximum length in bytes of a 64-bit encoded value is 10. */
-		if (shift > 70)
+		if (shift > 63)
 			return 0;
 	}
 
@@ -263,7 +263,7 @@ protobuf_varint_getlen(unsigned char *pos, size_t len)
 
 		shift += 7;
 		/* The maximum length in bytes of a 64-bit encoded value is 10. */
-		if (shift > 70)
+		if (shift > 63)
 			return -1;
 	}