mirror of
https://github.com/protobuf-c/protobuf-c.git
synced 2024-12-27 22:01:02 +08:00
d58d7ca271
The scan_length_prefixed_data() function returns the number of bytes taken up by a varint length delimiter, plus the actual value of that delimiter. Since it returns a uint32_t, a delimiter of 2^32 - 1 (or close to that) could cause the return value to overflow and result in an incorrect value. At first I tried to fix it by making scan_length_prefixed_data() use a size_t for its result, but I realized this would have no effect on 32-bit systems. To fix the problem for 32-bit, I changed the function to return early if the length is 2 GiB or more (protobuf messages are not allowed to be that large). I kept the size_t change anyway, since the result will ultimately be stored in a size_t (ScannedMember.len) and we might as well stay consistent with that. Signed-off-by: Adam Cozzette <acozzette@google.com>
25 lines
731 B
C
25 lines
731 B
C
#include <assert.h>
|
|
#include <stdlib.h>
|
|
|
|
#include "t/issue375/issue375.pb-c.h"
|
|
|
|
int main(void) {
|
|
// This buffer represents some serialized bytes where we have a length
|
|
// delimiter of 2^32 - 1 bytes for a particular repeated int32 field.
|
|
// We want to make sure that parsing a length delimiter this large does
|
|
// not cause a problematic integer overflow.
|
|
uint8_t buffer[] = {
|
|
// Field 1 with wire type 2 (length-delimited)
|
|
0x0a,
|
|
// Varint length delimiter: 2^32 - 1
|
|
0xff, 0xff, 0xff, 0xff, 0x0f,
|
|
};
|
|
// The parser should detect that this message is malformed and return
|
|
// null.
|
|
Issue375__TestMessage* m =
|
|
issue375__test_message__unpack(NULL, sizeof(buffer), buffer);
|
|
assert(m == NULL);
|
|
|
|
return EXIT_SUCCESS;
|
|
}
|