mirror of
https://github.com/protobuf-c/protobuf-c.git
synced 2024-12-26 04:31:03 +08:00
d58d7ca271
The scan_length_prefixed_data() function returns the number of bytes taken up by a varint length delimiter, plus the actual value of that delimiter. Since it returns a uint32_t, a delimiter of 2^32 - 1 (or close to that) could cause the return value to overflow and result in an incorrect value. At first I tried to fix it by making scan_length_prefixed_data() use a size_t for its result, but I realized this would have no effect on 32-bit systems. To fix the problem for 32-bit, I changed the function to return early if the length is 2 GiB or more (protobuf messages are not allowed to be that large). I kept the size_t change anyway, since the result will ultimately be stored in a size_t (ScannedMember.len) and we might as well stay consistent with that. Signed-off-by: Adam Cozzette <acozzette@google.com>