PROTON-1414: Fix fuzzer found read past buffer end
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/f66a9701 Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/f66a9701 Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/f66a9701 Branch: refs/heads/go1 Commit: f66a970196ee0aa58a38daf8ada94ca1a0ecb862 Parents: 99b1d7f Author: Andrew Stitcher <astitc...@apache.org> Authored: Thu Mar 22 00:06:27 2018 -0400 Committer: Andrew Stitcher <astitc...@apache.org> Committed: Thu Mar 22 02:18:42 2018 -0400 ---------------------------------------------------------------------- proton-c/src/core/decoder.c | 2 ++ .../minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba | 1 + tests/python/proton_tests/sasl.py | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/proton-c/src/core/decoder.c ---------------------------------------------------------------------- diff --git a/proton-c/src/core/decoder.c b/proton-c/src/core/decoder.c index fc01767..f56b275 100644 --- a/proton-c/src/core/decoder.c +++ b/proton-c/src/core/decoder.c @@ -368,6 +368,7 @@ static int pni_decoder_decode_value(pn_decoder_t *decoder, pn_data_t *data, uint case PNE_MAP8: if (pn_decoder_remaining(decoder) < 2) return PN_UNDERFLOW; size = pn_decoder_readf8(decoder); + if (pn_decoder_remaining(decoder) < size) return PN_UNDERFLOW; count = pn_decoder_readf8(decoder); break; case PNE_ARRAY32: @@ -375,6 +376,7 @@ static int pni_decoder_decode_value(pn_decoder_t *decoder, pn_data_t *data, uint case PNE_MAP32: if (pn_decoder_remaining(decoder) < 8) return PN_UNDERFLOW; size = pn_decoder_readf32(decoder); + if (pn_decoder_remaining(decoder) < size) return PN_UNDERFLOW; count = pn_decoder_readf32(decoder); break; default: http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba ---------------------------------------------------------------------- diff --git a/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba b/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba new file mode 100644 index 0000000..3de6476 --- /dev/null +++ b/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba @@ -0,0 +1 @@ +�� \ No newline at end of file http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/tests/python/proton_tests/sasl.py ---------------------------------------------------------------------- diff --git a/tests/python/proton_tests/sasl.py b/tests/python/proton_tests/sasl.py index e916229..804c828 100644 --- a/tests/python/proton_tests/sasl.py +++ b/tests/python/proton_tests/sasl.py @@ -224,7 +224,7 @@ class SaslTest(Test): out = self.t1.peek(1024) self.t1.pop(len(out)) - self.t1.push(str2bin("6\x02\x01\x00\x00\x00S@\xc04\x01\xe01\x04\xa3\x05PLAIN\x0aDIGEST-MD5\x09ANONYMOUS\x08CRAM-MD5")) + self.t1.push(str2bin("6\x02\x01\x00\x00\x00S@\xc0\x29\x01\xe0\x26\x04\xa3\x05PLAIN\x0aDIGEST-MD5\x09ANONYMOUS\x08CRAM-MD5")) out = self.t1.peek(1024) self.t1.pop(len(out)) self.t1.push(str2bin("\x00\x00\x00\x10\x02\x01\x00\x00\x00SD\xc0\x03\x01P\x00")) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org