From 16684328946bcb8b251e4fd6da52c983b9cdc9cf Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sat, 15 Aug 2020 11:30:54 +0100
Subject: [PATCH] Problem: WS might use handshake buffer for data

Solution: check for it before reusing it to avoid overflows
---
 src/ws_decoder.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/ws_decoder.cpp b/src/ws_decoder.cpp
index 9fc4e2e2..58b12707 100644
--- a/src/ws_decoder.cpp
+++ b/src/ws_decoder.cpp
@@ -212,10 +212,13 @@ int zmq::ws_decoder_t::size_ready (unsigned char const *read_pos_)
     // data into a new message and complete it in the next receive.
 
     shared_message_memory_allocator &allocator = get_allocator ();
-    if (unlikely (!_zero_copy
+    if (unlikely (!_zero_copy || allocator.data () > read_pos_
+                  || static_cast<size_t> (read_pos_ - allocator.data ())
+                       > allocator.size ()
                   || _size > static_cast<size_t> (
                        allocator.data () + allocator.size () - read_pos_))) {
         // a new message has started, but the size would exceed the pre-allocated arena
+        // (or read_pos_ is in the initial handshake buffer)
         // this happens every time when a message does not fit completely into the buffer
         rc = _in_progress.init_size (static_cast<size_t> (_size));
     } else {