From 730c85ca4d9ac0d032ea51d87ae956a29338d31d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=B1=AA=E6=98=80=E8=8F=B2?= <wangyunfei@seu.edu.cn>
Date: Fri, 18 Jul 2025 10:57:37 +0800
Subject: [PATCH] Added Buffer Underflow Check to Prevent Overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 汪昀菲 <wangyunfei@seu.edu.cn>
---
 lib/roles/ws/ext/extension-permessage-deflate.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/roles/ws/ext/extension-permessage-deflate.c b/lib/roles/ws/ext/extension-permessage-deflate.c
index 79c70ea9..2855f78b 100644
--- a/lib/roles/ws/ext/extension-permessage-deflate.c
+++ b/lib/roles/ws/ext/extension-permessage-deflate.c
@@ -308,6 +308,12 @@ lws_extension_callback_pm_deflate(struct lws_context *context,
 		 * track how much input was used, and advance it
 		 */
 
+		/* COV says we can overflow if "eb_in.len == 0 and rx->avail_in == 4" */
+		if ((unsigned int)priv->rx.avail_in > (unsigned int)pmdrx->eb_in.len) {
+			lwsl_wsi_err(wsi, "rx buffer underflow");
+			return PMDR_FAILED;
+		}
+
 		pmdrx->eb_in.token = pmdrx->eb_in.token +
 				         ((unsigned int)pmdrx->eb_in.len - (unsigned int)priv->rx.avail_in);
 		pmdrx->eb_in.len = (int)priv->rx.avail_in;
-- 
Gitee