Protect against corrupted _count fields in pb_release().

Fixes a potential security issue (#205). Only relevant if the user
code writes untrusted data to _count fields, but this is allowed as
per the security model.

diff --git a/pb_decode.c b/pb_decode.c
index 1699091..78911e7 100644 (file)
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -1035,6 +1035,12 @@ static void pb_release_single_field(const pb_field_iter_t *iter)
         if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
         {
             count = *(pb_size_t*)iter->pSize;
+
+            if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)
+            {
+                /* Protect against corrupted _count fields */
+                count = iter->pos->array_size;
+            }
         }
         
         if (pItem)