Author: Guido Vranken <guidovranken@gmail.com>
Description: pointer overflow in zmq::v2_decoder_t::size_ready
 leading to remote code execution (issue #3351).
 Refactor bounds check arithmetic such that no overflow shall occur
Origin: https://github.com/zeromq/libzmq/pull/3353
Applied-Upstream: 1a2ed12716693073032d57dac4e269df3d373751
--- a/src/v2_decoder.cpp
+++ b/src/v2_decoder.cpp
@@ -114,9 +114,8 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size,
     // the current message can exceed the current buffer. We have to copy the buffer
     // data into a new message and complete it in the next receive.
 
-    if (unlikely (
-          !zero_copy
-          || ((unsigned char *) read_pos + msg_size > (data () + size ())))) {
+    if (unlikely (!zero_copy
+                  || msg_size > (size_t) (data () + size () - read_pos))) {
         // a new message has started, but the size would exceed the pre-allocated arena
         // this happens every time when a message does not fit completely into the buffer
         rc = in_progress.init_size (static_cast<size_t> (msg_size));