From: Petteri Aimonen <jpa@git.mail.kapsi.fi>
Date: Sun, 12 Mar 2017 10:18:32 +0000 (+0200)
Subject: Fix potential out-of-bounds read with more than 64 required fields
X-Git-Tag: 3.99.1~14^2~5
X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=44e559d9ce74855bd48d8050ab6cf6391b980239;p=apps%2Flow-level-can-service.git

Fix potential out-of-bounds read with more than 64 required fields
---

diff --git a/pb_decode.c b/pb_decode.c
index e2e90ca..06d766a 100644
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -934,6 +934,9 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[
         if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0)
             req_field_count++;
         
+        if (req_field_count > PB_MAX_REQUIRED_FIELDS)
+            req_field_count = PB_MAX_REQUIRED_FIELDS;
+
         if (req_field_count > 0)
         {
             /* Check the whole words */
@@ -943,9 +946,15 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[
                     PB_RETURN_ERROR(stream, "missing required field");
             }
             
-            /* Check the remaining bits */
-            if (fields_seen[req_field_count >> 5] != (allbits >> (32 - (req_field_count & 31))))
-                PB_RETURN_ERROR(stream, "missing required field");
+            /* Check the remaining bits (if any) */
+            if ((req_field_count & 31) != 0)
+            {
+                if (fields_seen[req_field_count >> 5] !=
+                    (allbits >> (32 - (req_field_count & 31))))
+                {
+                    PB_RETURN_ERROR(stream, "missing required field");
+                }
+            }
         }
     }