diff options
| author | Shawn Willden <swillden@google.com> | 2021-06-25 10:44:06 -0600 |
|---|---|---|
| committer | Shawn Willden <swillden@google.com> | 2021-06-25 10:45:30 -0600 |
| commit | 4907264bdcc3da0477bb5648e55c07705e2793ba (patch) | |
| tree | b9b027af6f181031574ee05829b5fba078b01f2b | |
| parent | 2b7033bfad85c9b942411fe23e3231dad7c94c98 (diff) | |
| download | libcppbor-4907264bdcc3da0477bb5648e55c07705e2793ba.tar.gz | |
Check for integer overflow in cppbor::parseRecursively.android-12.0.0_r32android-12.0.0_r29android-12.0.0_r28android-12.0.0_r27android-12.0.0_r26android-12.0.0_r21android-12.0.0_r20android-12.0.0_r19android-12.0.0_r18android-12.0.0_r16android12-qpr1-releaseandroid12-qpr1-d-s3-releaseandroid12-qpr1-d-s2-releaseandroid12-qpr1-d-s1-releaseandroid12-qpr1-d-releaseandroid12-dev
Bug: 191303307
Test: Fuzzer from bug
Change-Id: I98830ec1bd77f152266f35a585d286be13a2551b
| -rw-r--r-- | src/cppbor_parse.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/cppbor_parse.cpp b/src/cppbor_parse.cpp index f5e8fcf..964a72d 100644 --- a/src/cppbor_parse.cpp +++ b/src/cppbor_parse.cpp @@ -96,7 +96,8 @@ std::tuple<const uint8_t*, ParseClient*> handleString(uint64_t length, const uin const uint8_t* valueBegin, const uint8_t* end, const std::string& errLabel, ParseClient* parseClient) { - if (end - valueBegin < static_cast<ssize_t>(length)) { + ssize_t signed_length = static_cast<ssize_t>(length); + if (end - valueBegin < signed_length || signed_length < 0) { parseClient->error(hdrBegin, insufficientLengthString(length, end - valueBegin, errLabel)); return {hdrBegin, nullptr /* end parsing */}; } |