diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 4804c0bbe..b9109ba83 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -146,7 +146,7 @@ jobs:
       - name: target
         run: "rustc -vV | sed -n 's|host: ||p'"
       - name: Install cargo-nextest
-        uses: taiki-e/install-action@56ab7930c591507f833cbaed864d201386d518a8
+        uses: taiki-e/install-action@a48a50298f98c47e46a957ae6f82c44cc4878e42 # v2.49.47
         with:
           tool: cargo-nextest
       - name: cargo build
@@ -310,7 +310,7 @@ jobs:
       - name: target
         run: "rustc -vV | sed -n 's|host: ||p'"
       - name: Install cargo-nextest
-        uses: taiki-e/install-action@56ab7930c591507f833cbaed864d201386d518a8
+        uses: taiki-e/install-action@a48a50298f98c47e46a957ae6f82c44cc4878e42 # v2.49.47
         with:
           tool: cargo-nextest
       - name: Download wasi-sdk
@@ -340,7 +340,7 @@ jobs:
           rustup toolchain install nightly --component miri
           cargo +nightly miri setup
       - name: Install cargo-nextest
-        uses: taiki-e/install-action@56ab7930c591507f833cbaed864d201386d518a8
+        uses: taiki-e/install-action@a48a50298f98c47e46a957ae6f82c44cc4878e42 # v2.49.47
         with:
           tool: cargo-nextest
       - name: Test public C api with miri
diff --git a/libbz2-rs-sys/src/decompress.rs b/libbz2-rs-sys/src/decompress.rs
index 6a7ce857b..fa06a1909 100644
--- a/libbz2-rs-sys/src/decompress.rs
+++ b/libbz2-rs-sys/src/decompress.rs
@@ -597,7 +597,7 @@ pub(crate) fn decompress(
             uc = GET_BYTE!(strm, s);
 
             s.origPtr = (s.origPtr << 8) | i32::from(uc);
-            if !(0..10 + 100000 * i32::from(s.blockSize100k)).contains(&s.origPtr) {
+            if !(0..=10 + 100000 * i32::from(s.blockSize100k)).contains(&s.origPtr) {
                 error!(BZ_DATA_ERROR);
             }
 
diff --git a/test-libbz2-rs-sys/src/lib.rs b/test-libbz2-rs-sys/src/lib.rs
index 99d750a1a..dec5fda9e 100644
--- a/test-libbz2-rs-sys/src/lib.rs
+++ b/test-libbz2-rs-sys/src/lib.rs
@@ -1454,3 +1454,26 @@ mod high_level_interface {
         drop(path_as_cstring);
     }
 }
+
+#[test]
+fn orig_ptr_bounds_check_off_by_1() {
+    // From https://git.radicallyopensecurity.com/ngi/ngicore-zip-linting-and-bzip2-in-rust/-/issues/6
+    //
+    // A bounds check in `decompress.rs` was off-by-one in the rust version.
+    let source: &[u8] = &[
+        0x42, 0x5a, 0x68, 0x32, 0x31, 0x41, 0x59, 0x26, 0x53, 0x59, 0x03, 0x4f, 0x7e, 0x01, 0x01,
+        0x86, 0xa5, 0x00, 0x00,
+    ];
+
+    let (err_c, dest_c) =
+        unsafe { crate::decompress_c_with_capacity(1 << 16, source.as_ptr(), source.len() as _) };
+
+    let (err_rs, dest_rs) =
+        unsafe { crate::decompress_rs_with_capacity(1 << 16, source.as_ptr(), source.len() as _) };
+
+    assert_eq!(err_c, err_rs);
+
+    if err_c == libbz2_rs_sys::BZ_OK {
+        assert_eq!(dest_c, dest_rs);
+    }
+}