3party/libzmq
0
0
Fork 0
mirror of https://github.com/zeromq/libzmq.git synced 2025-03-12 17:12:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4019 from bluca/fuzz_options

Browse Source 
Problem: zmq_z85_decode doesn't check its input length
This commit is contained in:
Doron Somech 2020-08-21 18:08:43 +03:00 committed by GitHub
commit 36dc251ed0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -55,6 +55,9 @@
* ZMTP 3.1 peers will receive subscribe/cancel on PUB/SUB via commands rather * ZMTP 3.1 peers will receive subscribe/cancel on PUB/SUB via commands rather
than using the first byte of the payload. than using the first byte of the payload.
* zmq_z85_decode now checks that the input string's length is at least 5 characters
and always a multiple of 5 as per API specification.
* Fixed #3566 - malformed CURVE message can cause memory leak * Fixed #3566 - malformed CURVE message can cause memory leak
* Fixed #3567 - missing ZeroMQ_INCLUDE_DIR in ZeroMQConfig.cmake when only * Fixed #3567 - missing ZeroMQ_INCLUDE_DIR in ZeroMQConfig.cmake when only

5
src/zmq_utils.cpp
View File

@ -166,6 +166,11 @@ uint8_t *zmq_z85_decode (uint8_t *dest_, const char *string_)
unsigned int byte_nbr = 0; unsigned int byte_nbr = 0;
unsigned int char_nbr = 0; unsigned int char_nbr = 0;
uint32_t value = 0; uint32_t value = 0;
size_t src_len = strlen (string_);
if (src_len < 5 || src_len % 5 != 0)
goto error_inval;
while (string_[char_nbr]) { while (string_[char_nbr]) {
// Accumulate value in base 85 // Accumulate value in base 85
if (UINT32_MAX / 85 < value) { if (UINT32_MAX / 85 < value) {