Fix for #116 (#117)

* Add simple fuzzer and one failing test case * Fix for #116
mongodb · Mar 1, 2019 · 8d8e90c · 8d8e90c
1 parent 31a74d9
commit 8d8e90c
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 0 deletions.
diff --git a/fuzz/.gitignore b/fuzz/.gitignore
@@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -0,0 +1,26 @@
+
+[package]
+name = "bson-fuzz"
+version = "0.0.1"
+authors = ["Automatically generated"]
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies.bson]
+path = ".."
+[dependencies.libfuzzer-sys]
+git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "fuzz_target_1"
+path = "fuzz_targets/fuzz_target_1.rs"
+
+[[bin]]
+name = "decode"
+path = "fuzz_targets/decode.rs"
diff --git a/fuzz/fuzz_targets/decode.rs b/fuzz/fuzz_targets/decode.rs
@@ -0,0 +1,10 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate bson;
+
+use bson::decode_document;
+use std::io::Cursor;
+
+fuzz_target!(|buf: &[u8]| {
+    let _ = decode_document(&mut Cursor::new(&buf[..]));
+});
diff --git a/src/decoder/mod.rs b/src/decoder/mod.rs
@@ -39,6 +39,8 @@ use spec::{self, BinarySubtype};
 
 use serde::de::Deserialize;
 
+const MAX_BSON_SIZE: i32 = 16 * 1024 * 1024;
+
 fn read_string<R: Read + ?Sized>(reader: &mut R, utf8_lossy: bool) -> DecoderResult<String> {
     let len = reader.read_i32::<LittleEndian>()?;
 
@@ -170,6 +172,9 @@ fn decode_bson<R: Read + ?Sized>(reader: &mut R, tag: u8, utf8_lossy: bool) -> D
         Some(Array) => decode_array(reader, utf8_lossy).map(Bson::Array),
         Some(Binary) => {
             let len = read_i32(reader)?;
+            if len < 0 || len > MAX_BSON_SIZE {
+                return Err(DecoderError::InvalidLength(len as usize, format!("Invalid binary length of {}", len)));
+            }
             let subtype = BinarySubtype::from(reader.read_u8()?);
             let mut data = Vec::with_capacity(len as usize);
             reader.take(len as u64).read_to_end(&mut data)?;

diff --git a/tests/modules/encoder_decoder.rs b/tests/modules/encoder_decoder.rs
@@ -310,3 +310,10 @@ fn test_decode_multiply_overflows_issue64() {
 
     assert!(decode_document(&mut Cursor::new(&buffer[..])).is_err());
 }
+
+
+#[test]
+fn test_illegal_size(){
+    let buffer = [0x06, 0xcc, 0xf9, 0x0a, 0x05, 0x00, 0x00, 0x03, 0x00, 0xff, 0xff];
+    assert!(decode_document(&mut Cursor::new(&buffer[..])).is_err());
+}