From ed8890b6a575605a78400331ea44594587caf012 Mon Sep 17 00:00:00 2001
From: Rahim Kanji <rahim.kanji@outlook.com>
Date: Mon, 2 Mar 2026 02:26:08 +0500
Subject: [PATCH] Added bounds checking for Describe and Close messages to
 prevent reads beyond packet boundaries

---
 lib/PgSQL_Extended_Query_Message.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/PgSQL_Extended_Query_Message.cpp b/lib/PgSQL_Extended_Query_Message.cpp
index 375a6a1b0..a66a3d866 100644
--- a/lib/PgSQL_Extended_Query_Message.cpp
+++ b/lib/PgSQL_Extended_Query_Message.cpp
@@ -175,9 +175,9 @@ bool PgSQL_Describe_Message::parse(PtrSize_t& pkt) {
 		return false;
 	}
 
-	// Validate remaining length for statement name (at least 1 byte for null-terminated string)
+	// Validate remaining length for statement type (at least 1 byte for null-terminated string)
 	if (offset >= pkt_len) {
-		return false;  // Not enough data for statement name
+		return false;  // Not enough data for statement type
 	}
 
 	// Read the statement type (1 byte)
@@ -250,6 +250,12 @@ bool PgSQL_Close_Message::parse(PtrSize_t& pkt) {
 		proxy_debug(PROXY_DEBUG_MYSQL_CONNECTION, 1, "Packet size too small: %u bytes\n", pkt.size);
 		return false;
 	}
+
+	// Validate remaining length for statement type (1 byte)
+	if (offset >= pkt_len) {
+		return false;  // Not enough data for statement type
+	}
+
 	// Read the statement type (1 byte)
 	data.stmt_type = *(packet + offset);
 	offset += sizeof(uint8_t);