Code Review
/
apps
/
low-level-can-service.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
review
|
tree
raw
|
patch
| inline |
side by side
(parent:
3af7d09
)
Protect against corrupted _count fields in pb_release().
author
Petteri Aimonen
<jpa@git.mail.kapsi.fi>
Mon, 6 Jun 2016 18:01:22 +0000
(21:01 +0300)
committer
Petteri Aimonen
<jpa@git.mail.kapsi.fi>
Mon, 6 Jun 2016 18:01:22 +0000
(21:01 +0300)
Fixes a potential security issue (#205). Only relevant if the user
code writes untrusted data to _count fields, but this is allowed as
per the security model.
pb_decode.c
patch
|
blob
|
history
diff --git
a/pb_decode.c
b/pb_decode.c
index
1699091
..
78911e7
100644
(file)
--- a/
pb_decode.c
+++ b/
pb_decode.c
@@
-1035,6
+1035,12
@@
static void pb_release_single_field(const pb_field_iter_t *iter)
if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
{
count = *(pb_size_t*)iter->pSize;
+
+ if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)
+ {
+ /* Protect against corrupted _count fields */
+ count = iter->pos->array_size;
+ }
}
if (pItem)