X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=pb_decode.c;h=5d2110239b94d7ebd7445ed7a3a4d4c81692b0ed;hb=be0b9e047a007685aa10a268f9bf856e9a52ef58;hp=40da1aa4de177cb41b32ea04353cfc9a4c9a0370;hpb=a641e21b34aed824b6b919f7ab9937eaadf09473;p=apps%2Fagl-service-can-low-level.git diff --git a/pb_decode.c b/pb_decode.c index 40da1aa4..5d211023 100644 --- a/pb_decode.c +++ b/pb_decode.c @@ -352,7 +352,7 @@ static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t { /* Packed array */ bool status = true; - size_t *size = (size_t*)iter->pSize; + pb_size_t *size = (pb_size_t*)iter->pSize; pb_istream_t substream; if (!pb_make_string_substream(stream, &substream)) return false; @@ -377,7 +377,7 @@ static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t else { /* Repeated field */ - size_t *size = (size_t*)iter->pSize; + pb_size_t *size = (pb_size_t*)iter->pSize; void *pItem = (uint8_t*)iter->pData + iter->pos->data_size * (*size); if (*size >= iter->pos->array_size) PB_RETURN_ERROR(stream, "array overflow"); @@ -444,8 +444,8 @@ static void initialize_pointer_field(void *pItem, pb_field_iter_t *iter) static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter) { #ifndef PB_ENABLE_MALLOC - UNUSED(wire_type); - UNUSED(iter); + PB_UNUSED(wire_type); + PB_UNUSED(iter); PB_RETURN_ERROR(stream, "no malloc support"); #else pb_type_t type; @@ -478,7 +478,7 @@ static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_ { /* Packed array, multiple items come in at once. */ bool status = true; - size_t *size = (size_t*)iter->pSize; + pb_size_t *size = (pb_size_t*)iter->pSize; size_t allocated_size = *size; void *pItem; pb_istream_t substream; @@ -488,7 +488,7 @@ static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_ while (substream.bytes_left) { - if (*size + 1 > allocated_size) + if ((size_t)*size + 1 > allocated_size) { /* Allocate more storage. This tries to guess the * number of remaining entries. Round the division @@ -510,6 +510,16 @@ static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_ status = false; break; } + + if (*size == PB_SIZE_MAX) + { +#ifndef PB_NO_ERRMSG + stream->errmsg = "too many array entries"; +#endif + status = false; + break; + } + (*size)++; } pb_close_string_substream(stream, &substream); @@ -519,9 +529,12 @@ static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_ else { /* Normal repeated field, i.e. only one item at a time. */ - size_t *size = (size_t*)iter->pSize; + pb_size_t *size = (pb_size_t*)iter->pSize; void *pItem; + if (*size == PB_SIZE_MAX) + PB_RETURN_ERROR(stream, "too many array entries"); + (*size)++; if (!allocate_field(stream, iter->pData, iter->pos->data_size, *size)) return false; @@ -616,7 +629,7 @@ static bool checkreturn default_extension_decoder(pb_istream_t *stream, /* Fake a field iterator for the extension field. * It is not actually safe to advance this iterator, but decode_field * will not even try to. */ - pb_field_iter_begin(&iter, field, extension->dest); + (void)pb_field_iter_begin(&iter, field, extension->dest); iter.pData = extension->dest; iter.pSize = &extension->found; @@ -668,16 +681,14 @@ static bool checkreturn find_extension_field(pb_field_iter_t *iter) static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_struct) { pb_field_iter_t iter; - pb_field_iter_begin(&iter, fields, dest_struct); + + if (!pb_field_iter_begin(&iter, fields, dest_struct)) + return; /* Empty message type */ do { pb_type_t type; type = iter.pos->type; - - /* Avoid crash on empty message types (zero fields) */ - if (iter.pos->tag == 0) - continue; if (PB_ATYPE(type) == PB_ATYPE_STATIC) { @@ -690,7 +701,7 @@ static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_str else if (PB_HTYPE(type) == PB_HTYPE_REPEATED) { /* Set array count to 0, no need to initialize contents. */ - *(size_t*)iter.pSize = 0; + *(pb_size_t*)iter.pSize = 0; continue; } @@ -718,7 +729,7 @@ static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_str /* Initialize array count to 0. */ if (PB_HTYPE(type) == PB_HTYPE_REPEATED) { - *(size_t*)iter.pSize = 0; + *(pb_size_t*)iter.pSize = 0; } } else if (PB_ATYPE(type) == PB_ATYPE_CALLBACK) @@ -738,7 +749,9 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[ uint32_t extension_range_start = 0; pb_field_iter_t iter; - pb_field_iter_begin(&iter, fields, dest_struct); + /* Return value ignored, as empty message types will be correctly handled by + * pb_field_iter_find() anyway. */ + (void)pb_field_iter_begin(&iter, fields, dest_struct); while (stream->bytes_left) { @@ -859,17 +872,15 @@ bool pb_decode_delimited(pb_istream_t *stream, const pb_field_t fields[], void * void pb_release(const pb_field_t fields[], void *dest_struct) { pb_field_iter_t iter; - pb_field_iter_begin(&iter, fields, dest_struct); + + if (!pb_field_iter_begin(&iter, fields, dest_struct)) + return; /* Empty message type */ do { pb_type_t type; type = iter.pos->type; - /* Avoid crash on empty message types (zero fields) */ - if (iter.pos->tag == 0) - continue; - if (PB_ATYPE(type) == PB_ATYPE_POINTER) { if (PB_HTYPE(type) == PB_HTYPE_REPEATED && @@ -878,7 +889,7 @@ void pb_release(const pb_field_t fields[], void *dest_struct) { /* Release entries in repeated string or bytes array */ void **pItem = *(void***)iter.pData; - size_t count = *(size_t*)iter.pSize; + pb_size_t count = *(pb_size_t*)iter.pSize; while (count--) { pb_free(*pItem); @@ -889,11 +900,11 @@ void pb_release(const pb_field_t fields[], void *dest_struct) { /* Release fields in submessages */ void *pItem = *(void**)iter.pData; - size_t count = (pItem ? 1 : 0); + pb_size_t count = (pItem ? 1 : 0); if (PB_HTYPE(type) == PB_HTYPE_REPEATED) { - count = *(size_t*)iter.pSize; + count = *(pb_size_t*)iter.pSize; } while (count--) @@ -1021,13 +1032,13 @@ static bool checkreturn pb_dec_svarint(pb_istream_t *stream, const pb_field_t *f static bool checkreturn pb_dec_fixed32(pb_istream_t *stream, const pb_field_t *field, void *dest) { - UNUSED(field); + PB_UNUSED(field); return pb_decode_fixed32(stream, dest); } static bool checkreturn pb_dec_fixed64(pb_istream_t *stream, const pb_field_t *field, void *dest) { - UNUSED(field); + PB_UNUSED(field); return pb_decode_fixed64(stream, dest); } @@ -1056,7 +1067,12 @@ static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *fie bdest = (pb_bytes_array_t*)dest; } - bdest->size = size; + if (size > PB_SIZE_MAX) + { + PB_RETURN_ERROR(stream, "bytes overflow"); + } + + bdest->size = (pb_size_t)size; return pb_read(stream, bdest->bytes, size); }