From f80a8bf4f8d40bc3ba441e654a55b6fa78681072 Mon Sep 17 00:00:00 2001
From: Adam Stylinski <kungfujesus06@gmail.com>
Date: Thu, 3 Oct 2024 17:17:44 -0400
Subject: [PATCH] Compute the "safe" distance properly

The safe pointer that is computed is an exclusive, not inclusive bounds.
While we were probably rarely ever bit this, if ever, it still makes
sense to apply the limit, properly.
---
 inffast_tpl.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inffast_tpl.h b/inffast_tpl.h
index c8f4786754..2600dd5a22 100644
--- a/inffast_tpl.h
+++ b/inffast_tpl.h
@@ -260,7 +260,7 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) {
                     if (dist >= len || dist >= state->chunksize)
                         out = chunkcopy_safe(out, out - dist, len, safe);
                     else
-                        out = CHUNKMEMSET_SAFE(out, dist, len, (unsigned)((safe - out) + 1));
+                        out = CHUNKMEMSET_SAFE(out, dist, len, (unsigned)((safe - out)));
                 } else {
                     /* Whole reference is in range of current output.  No range checks are
                        necessary because we start with room for at least 258 bytes of output,