From de6f34e9a28a79385cab6c5cff860f7cacdfd1d5 Mon Sep 17 00:00:00 2001
From: Shubhangi Shrivastava <shubhangi.shrivastava@intel.com>
Date: Fri, 29 May 2026 12:26:13 +0000
Subject: [PATCH] Guarding buffer load u16

Signed-off-by: Shubhangi Shrivastava <shubhangi.shrivastava@intel.com>
---
 src/nfa/nfa_rev_api.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/nfa/nfa_rev_api.h b/src/nfa/nfa_rev_api.h
index 370f96ef6..ea9bc411c 100644
--- a/src/nfa/nfa_rev_api.h
+++ b/src/nfa/nfa_rev_api.h
@@ -104,6 +104,9 @@ size_t nfaRevAccel_i(const struct NFA *nfa, const u8 *buffer, size_t length) {
         break;
     case ACCEL_RDEOD:
         DEBUG_PRINTF("ACCEL_RDEOD\n");
+        if (length < nfa->rAccelOffset + 1) {
+            break;
+        }
         if (unaligned_load_u16(buffer + length - nfa->rAccelOffset) !=
                 nfa->rAccelData.dc) {
             return 0;
@@ -111,6 +114,9 @@ size_t nfaRevAccel_i(const struct NFA *nfa, const u8 *buffer, size_t length) {
         break;
     case ACCEL_RDEOD_NOCASE:
         DEBUG_PRINTF("ACCEL_RDEOD_NOCASE\n");
+        if (length < nfa->rAccelOffset + 1) {
+            break;
+        }
         if ((unaligned_load_u16(buffer + length - nfa->rAccelOffset) &
              DOUBLE_CASE_CLEAR) != nfa->rAccelData.dc) {
             return 0;