From bb52a7a3e1802a65e2347f3a7a48c6fb3bdc47e4 Mon Sep 17 00:00:00 2001
From: Petteri Aimonen <jpa@git.mail.kapsi.fi>
Date: Mon, 6 Jun 2016 21:01:22 +0300
Subject: [PATCH] Protect against corrupted _count fields in pb_release().

Fixes a potential security issue (#205). Only relevant if the user
code writes untrusted data to _count fields, but this is allowed as
per the security model.
---
 pb_decode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pb_decode.c b/pb_decode.c
index 1699091c..78911e7b 100644
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -1035,6 +1035,12 @@ static void pb_release_single_field(const pb_field_iter_t *iter)
         if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
         {
             count = *(pb_size_t*)iter->pSize;
+
+            if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)
+            {
+                /* Protect against corrupted _count fields */
+                count = iter->pos->array_size;
+            }
         }
         
         if (pItem)
-- 
2.16.6