From e7f11018089195e77b19347101ffc8238e0d3816 Mon Sep 17 00:00:00 2001
From: Steve Karg <skarg@users.sourceforge.net>
Date: Tue, 2 Dec 2025 15:04:45 -0600
Subject: [PATCH] Fixed array-bounds on BACnetObjectPropertyReference parsing.
 (#1167)

---
 CHANGELOG.md        | 1 +
 src/bacnet/bacapp.c | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8df54fbe..dc17a26a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,6 +43,7 @@ The git repositories are hosted at the following sites:
 
 ### Fixed
 
+* Fixed array-bounds on BACnetObjectPropertyReference parsing. (#1167)
 * Fixed the missing BACnetObjectPropertyReference,
   BACnetSCFailedConnectionRequest, BACnetSCHubFunctionConnection,
   BACnetSCDirectConnection,BACnetSCHubConnection, BACnetTimerStateChangeValue,
diff --git a/src/bacnet/bacapp.c b/src/bacnet/bacapp.c
index da01effa..e1a5dd24 100644
--- a/src/bacnet/bacapp.c
+++ b/src/bacnet/bacapp.c
@@ -4415,7 +4415,7 @@ static bool device_object_property_reference_from_ascii(
         value->objectIdentifier.type = object_type;
         value->objectIdentifier.instance = object_instance;
         value->propertyIdentifier = property_id;
-        if (array_index < 0) {
+        if (array_index < 0L) {
             value->arrayIndex = BACNET_ARRAY_ALL;
         } else {
             value->arrayIndex = array_index;
@@ -4490,6 +4490,9 @@ static bool object_property_reference_from_ascii(
         value->object_identifier.type = object_type;
         value->object_identifier.instance = object_instance;
         value->property_identifier = property_id;
+        if ((array_index >= BACNET_ARRAY_ALL) || (array_index < 0L)) {
+            array_index = BACNET_ARRAY_ALL;
+        }
         value->property_array_index = array_index;
         status = true;
     }