Code Review / apps / low-level-can-service.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 459d9cf)
Fix potential out-of-bounds read with more than 64 required fields
authorPetteri Aimonen <jpa@git.mail.kapsi.fi>
Sun, 12 Mar 2017 10:18:32 +0000 (12:18 +0200)
committerPetteri Aimonen <jpa@git.mail.kapsi.fi>
Sun, 12 Mar 2017 10:18:32 +0000 (12:18 +0200)
pb_decode.c patch | blob | history

diff --git a/pb_decode.c b/pb_decode.c
index e2e90ca..06d766a 100644 (file)
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -934,6 +934,9 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[
         if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0)
             req_field_count++;
         
+        if (req_field_count > PB_MAX_REQUIRED_FIELDS)
+            req_field_count = PB_MAX_REQUIRED_FIELDS;
+
         if (req_field_count > 0)
         {
             /* Check the whole words */
@@ -943,9 +946,15 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[
                     PB_RETURN_ERROR(stream, "missing required field");
             }
             
-            /* Check the remaining bits */
-            if (fields_seen[req_field_count >> 5] != (allbits >> (32 - (req_field_count & 31))))
-                PB_RETURN_ERROR(stream, "missing required field");
+            /* Check the remaining bits (if any) */
+            if ((req_field_count & 31) != 0)
+            {
+                if (fields_seen[req_field_count >> 5] !=
+                    (allbits >> (32 - (req_field_count & 31))))
+                {
+                    PB_RETURN_ERROR(stream, "missing required field");
+                }
+            }
         }
     }