From: Petteri Aimonen <jpa@git.mail.kapsi.fi>
Date: Mon, 6 Jun 2016 18:01:22 +0000 (+0300)
Subject: Protect against corrupted _count fields in pb_release().
X-Git-Tag: 5.0.2~186^2~68
X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=bb52a7a3e1802a65e2347f3a7a48c6fb3bdc47e4;p=apps%2Fagl-service-can-low-level.git

Protect against corrupted _count fields in pb_release().

Fixes a potential security issue (#205). Only relevant if the user
code writes untrusted data to _count fields, but this is allowed as
per the security model.
---

diff --git a/pb_decode.c b/pb_decode.c
index 1699091c..78911e7b 100644
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -1035,6 +1035,12 @@ static void pb_release_single_field(const pb_field_iter_t *iter)
         if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
         {
             count = *(pb_size_t*)iter->pSize;
+
+            if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)
+            {
+                /* Protect against corrupted _count fields */
+                count = iter->pos->array_size;
+            }
         }
         
         if (pItem)