Code Review
/
apps
/
agl-service-can-low-level.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
Fixed issue 1 reported by Erik Rosen:
[apps/agl-service-can-low-level.git]
/
pb_decode.c
diff --git
a/pb_decode.c
b/pb_decode.c
index
3992ab8
..
1e2fea0
100644
(file)
--- a/
pb_decode.c
+++ b/
pb_decode.c
@@
-509,7
+509,8
@@
bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *field, voi
return false;
x->size = temp;
return false;
x->size = temp;
- if (x->size > field->data_size)
+ /* Check length, noting the space taken by the size_t header. */
+ if (x->size > field->data_size - offsetof(pb_bytes_array_t, bytes))
return false;
return pb_read(stream, x->bytes, x->size);
return false;
return pb_read(stream, x->bytes, x->size);
@@
-522,6
+523,7
@@
bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_t *field, vo
if (!pb_decode_varint32(stream, &size))
return false;
if (!pb_decode_varint32(stream, &size))
return false;
+ /* Check length, noting the null terminator */
if (size > field->data_size - 1)
return false;
if (size > field->data_size - 1)
return false;