From 7e1098befe178e4b93657a4d49e6a354037beec4 Mon Sep 17 00:00:00 2001
From: Jan Sturm <jansturm92@googlemail.com>
Date: Tue, 29 Oct 2024 19:26:19 +0100
Subject: [PATCH] py/objdeque: Fix buffer overflow in deque_subscr.

In `deque_subscr()`, if `index_val` equals `self->alloc`, the index
correction `index_val -= self->alloc` does not execute, leading to an
out-of-bounds access in `self->items[index_val]`.

The fix in this commit ensures that the index correction is applied
whenever `index_val >= self->alloc`, preventing access beyond the allocated
buffer size.

Signed-off-by: Jan Sturm <jansturm92@googlemail.com>
---
 py/objdeque.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/py/objdeque.c b/py/objdeque.c
index 2ad771284..22c380a05 100644
--- a/py/objdeque.c
+++ b/py/objdeque.c
@@ -208,7 +208,7 @@ static mp_obj_t deque_subscr(mp_obj_t self_in, mp_obj_t index, mp_obj_t value) {
 
     size_t offset = mp_get_index(self->base.type, deque_len(self), index, false);
     size_t index_val = self->i_get + offset;
-    if (index_val > self->alloc) {
+    if (index_val >= self->alloc) {
         index_val -= self->alloc;
     }