From d6483793e1c3e337e33b53452c0e0249107d099b Mon Sep 17 00:00:00 2001
From: Fred Sundvik <fsundvik@gmail.com>
Date: Mon, 5 Feb 2024 14:39:29 +0200
Subject: [PATCH] fix: buffer overrun in lmpack_session_receive

The offset was not taken into account when calculating the remaining buffer size.
---
 src/mpack/lmpack.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/mpack/lmpack.c b/src/mpack/lmpack.c
index ff21e29789..4ce4b5f3e5 100644
--- a/src/mpack/lmpack.c
+++ b/src/mpack/lmpack.c
@@ -882,7 +882,9 @@ static int lmpack_session_receive(lua_State *L)
   luaL_argcheck(L, (size_t)startpos <= len, 3,
       "start position must be less than or equal to the input string length");
 
-  str += (size_t)startpos - 1;
+  size_t offset = (size_t)startpos - 1 ;
+  str += offset;
+  len -= offset;
 
   if (session->unpacker != LUA_REFNIL) {
     lmpack_geti(L, session->reg, session->unpacker);