From a39b7ddbac3f3ce94ee289cace8a7bda609a2c9f Mon Sep 17 00:00:00 2001
From: cpq <valenok@gmail.com>
Date: Fri, 11 Nov 2022 15:03:48 +0000
Subject: [PATCH] Fix fuzzer use-after-poison READ 1

---
 mongoose.c | 2 +-
 src/mqtt.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/mongoose.c b/mongoose.c
index b9a9d275..c1f4df31 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -3196,7 +3196,7 @@ int mg_mqtt_parse(const uint8_t *buf, size_t len, uint8_t version,
         p += 2;
       }
       if (p > end) return MQTT_MALFORMED;
-      if (version == 5 && p + 1 < end) p += 1 + p[0];  // Skip options
+      if (version == 5 && p + 2 < end) p += 1 + p[0];  // Skip options
       if (p > end) return MQTT_MALFORMED;
       m->data.ptr = (char *) p;
       m->data.len = (size_t) (end - p);
diff --git a/src/mqtt.c b/src/mqtt.c
index 0db52256..726cdc41 100644
--- a/src/mqtt.c
+++ b/src/mqtt.c
@@ -173,7 +173,7 @@ int mg_mqtt_parse(const uint8_t *buf, size_t len, uint8_t version,
         p += 2;
       }
       if (p > end) return MQTT_MALFORMED;
-      if (version == 5 && p + 1 < end) p += 1 + p[0];  // Skip options
+      if (version == 5 && p + 2 < end) p += 1 + p[0];  // Skip options
       if (p > end) return MQTT_MALFORMED;
       m->data.ptr = (char *) p;
       m->data.len = (size_t) (end - p);