From 2fb25b9328d6915be8d104a0f0d02cc4e4e6b09e Mon Sep 17 00:00:00 2001 From: iphydf Date: Tue, 5 Apr 2022 10:41:51 +0000 Subject: [PATCH] refactor: Protect array unpacking against invalid lengths. Each array element is at least 1 byte, so if there are fewer bytes than array elements, the array size is invalid. --- other/bootstrap_daemon/docker/tox-bootstrapd.sha256 | 2 +- toxcore/bin_pack_test.cc | 9 +++++++++ toxcore/bin_unpack.c | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 index 7b90657c92..cda3bbd3ef 100644 --- a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 +++ b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 @@ -1 +1 @@ -146fb36bf3100115f913a07583c096c8dc98ab26e1220567e465b2ca86a69583 /usr/local/bin/tox-bootstrapd +95ae45707c9a19ea9c8c0a537c5defb228f8d7eca1c51c0225a3bc07a50891c6 /usr/local/bin/tox-bootstrapd diff --git a/toxcore/bin_pack_test.cc b/toxcore/bin_pack_test.cc index 3b97bf63f1..05140146df 100644 --- a/toxcore/bin_pack_test.cc +++ b/toxcore/bin_pack_test.cc @@ -122,4 +122,13 @@ TEST(BinPack, BinCanHoldArbitraryData) EXPECT_EQ(str, (std::array{'h', 'e', 'l', 'l', 'o'})); } +TEST(BinPack, OversizedArrayFailsUnpack) +{ + std::array buf = {0x91}; + + Bin_Unpack_Ptr bu(bin_unpack_new(buf.data(), buf.size())); + uint32_t size; + EXPECT_FALSE(bin_unpack_array(bu.get(), &size)); +} + } // namespace diff --git a/toxcore/bin_unpack.c b/toxcore/bin_unpack.c index 67c0fa8c0f..e4daec3a22 100644 --- a/toxcore/bin_unpack.c +++ b/toxcore/bin_unpack.c @@ -70,7 +70,7 @@ void bin_unpack_free(Bin_Unpack *bu) bool bin_unpack_array(Bin_Unpack *bu, uint32_t *size) { - return cmp_read_array(&bu->ctx, size); + return cmp_read_array(&bu->ctx, size) && *size <= bu->bytes_size; } bool bin_unpack_array_fixed(Bin_Unpack *bu, uint32_t required_size)