From 44e559d9ce74855bd48d8050ab6cf6391b980239 Mon Sep 17 00:00:00 2001 From: Petteri Aimonen Date: Sun, 12 Mar 2017 12:18:32 +0200 Subject: [PATCH] Fix potential out-of-bounds read with more than 64 required fields --- pb_decode.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/pb_decode.c b/pb_decode.c index e2e90ca..06d766a 100644 --- a/pb_decode.c +++ b/pb_decode.c @@ -934,6 +934,9 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[ if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0) req_field_count++; + if (req_field_count > PB_MAX_REQUIRED_FIELDS) + req_field_count = PB_MAX_REQUIRED_FIELDS; + if (req_field_count > 0) { /* Check the whole words */ @@ -943,9 +946,15 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[ PB_RETURN_ERROR(stream, "missing required field"); } - /* Check the remaining bits */ - if (fields_seen[req_field_count >> 5] != (allbits >> (32 - (req_field_count & 31)))) - PB_RETURN_ERROR(stream, "missing required field"); + /* Check the remaining bits (if any) */ + if ((req_field_count & 31) != 0) + { + if (fields_seen[req_field_count >> 5] != + (allbits >> (32 - (req_field_count & 31)))) + { + PB_RETURN_ERROR(stream, "missing required field"); + } + } } } -- 2.16.6