From another report received today from Cobalt AI:

Incorrect overflow guard condition in _ksba_ber_read_tl (ber-help.c:185)

The current guard reads:

if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)

The first sub-condition ti->length > ti->nhdr is logically
unnecessary and creates a gap: when nhdr > length, the overflow check
is skipped entirely. The correct unsigned overflow check for a + b is
simply (a + b) < a. Since nhdr is always small in practice (header is
at most ~10 bytes), this is not immediately exploitable, but the guard
does not correctly express the intended invariant.

Proposed fix:

if ((ti->nhdr + ti->length) < ti->nhdr)