protobuf-c/t/issue375/issue375.proto
Adam Cozzette d58d7ca271 Fixed out-of-bounds read
The scan_length_prefixed_data() function returns the number of bytes
taken up by a varint length delimiter, plus the actual value of that
delimiter. Since it returns a uint32_t, a delimiter of 2^32 - 1 (or
close to that) could cause the return value to overflow and result in an
incorrect value.

At first I tried to fix it by making scan_length_prefixed_data() use a
size_t for its result, but I realized this would have no effect on
32-bit systems. To fix the problem for 32-bit, I changed the function to
return early if the length is 2 GiB or more (protobuf messages are not
allowed to be that large). I kept the size_t change anyway, since the
result will ultimately be stored in a size_t (ScannedMember.len) and we
might as well stay consistent with that.

Signed-off-by: Adam Cozzette <acozzette@google.com>
2019-05-16 12:30:08 -07:00

8 lines
90 B
Protocol Buffer

syntax = "proto2";
package issue375;
message TestMessage {
repeated int32 nums = 1;
}