The scan_length_prefixed_data() function returns the number of bytes
taken up by a varint length delimiter, plus the actual value of that
delimiter. Since it returns a uint32_t, a delimiter of 2^32 - 1 (or
close to that) could cause the return value to overflow and result in an
incorrect value.
At first I tried to fix it by making scan_length_prefixed_data() use a
size_t for its result, but I realized this would have no effect on
32-bit systems. To fix the problem for 32-bit, I changed the function to
return early if the length is 2 GiB or more (protobuf messages are not
allowed to be that large). I kept the size_t change anyway, since the
result will ultimately be stored in a size_t (ScannedMember.len) and we
might as well stay consistent with that.
Signed-off-by: Adam Cozzette <acozzette@google.com>
