This is an automated email from the ASF dual-hosted git repository.
astitcher pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git
The following commit(s) were added to refs/heads/main by this push:
new b788baa PROTON-2457: Buffer overrun found by fuzzing
b788baa is described below
commit b788baad3e9d9ba028d3d115e272e94a30227e17
Author: Andrew Stitcher <[email protected]>
AuthorDate: Fri Nov 5 14:16:09 2021 +0000
PROTON-2457: Buffer overrun found by fuzzing
---
c/src/core/consumers.h | 23 +++++++++++++--------
.../minimized-fuzz-message-decode-6101905114267648 | Bin 0 -> 5 bytes
2 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/c/src/core/consumers.h b/c/src/core/consumers.h
index 48c3a0a..930c7c7 100644
--- a/c/src/core/consumers.h
+++ b/c/src/core/consumers.h
@@ -543,7 +543,8 @@ static inline bool consume_descriptor(pni_consumer_t*
consumer, pni_consumer_t *
size_t sposition = consumer->position;
uint8_t type;
consume_single_value_not_described(consumer, &type);
- *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+sposition, .position=0,
.size=consumer->position-sposition};
+ size_t scsize = consumer->position > sposition ?
consumer->position-sposition : 0;
+ *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+sposition, .position=0,
.size=scsize};
return lq;
}
default:
@@ -561,15 +562,17 @@ static inline bool consume_list(pni_consumer_t* consumer,
pni_consumer_t *subcon
case PNE_LIST32: {
uint32_t s;
if (!pni_consumer_readf32(consumer, &s)) return false;
- *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=s};
- consumer->position += s;
+ size_t scsize = s < consumer->size-consumer->position ? s :
consumer->size-consumer->position;
+ *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=scsize};
+ consumer->position += scsize;
return pni_consumer_readf32(subconsumer, count);
}
case PNE_LIST8: {
uint8_t s;
if (!pni_consumer_readf8(consumer, &s)) return false;
- *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=s};
- consumer->position += s;
+ size_t scsize = s < consumer->size-consumer->position ? s :
consumer->size-consumer->position;
+ *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=scsize};
+ consumer->position += scsize;
uint8_t c;
if (!pni_consumer_readf8(subconsumer, &c)) return false;
*count = c;
@@ -598,16 +601,18 @@ static inline bool consume_array(pni_consumer_t*
consumer, pni_consumer_t *subco
case PNE_ARRAY32: {
uint32_t s;
if (!pni_consumer_readf32(consumer, &s)) return false;
- *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=s};
- consumer->position += s;
+ size_t scsize = s < consumer->size-consumer->position ? s :
consumer->size-consumer->position;
+ *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=scsize};
+ consumer->position += scsize;
if (!pni_consumer_readf32(subconsumer, count)) return false;
return pni_consumer_readf8(subconsumer, element_type);
}
case PNE_ARRAY8: {
uint8_t s;
if (!pni_consumer_readf8(consumer, &s)) return false;
- *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=s};
- consumer->position += s;
+ size_t scsize = s < consumer->size-consumer->position ? s :
consumer->size-consumer->position;
+ *subconsumer =
(pni_consumer_t){.output_start=consumer->output_start+consumer->position,
.position=0, .size=scsize};
+ consumer->position += scsize;
uint8_t c;
if (!pni_consumer_readf8(subconsumer, &c)) return false;
*count = c;
diff --git
a/c/tests/fuzz/fuzz-message-decode/minimized-fuzz-message-decode-6101905114267648
b/c/tests/fuzz/fuzz-message-decode/minimized-fuzz-message-decode-6101905114267648
new file mode 100644
index 0000000..a8d73e8
Binary files /dev/null and
b/c/tests/fuzz/fuzz-message-decode/minimized-fuzz-message-decode-6101905114267648
differ
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
