aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetteri Aimonen <jpa@git.mail.kapsi.fi>2016-06-06 21:01:22 +0300
committerPetteri Aimonen <jpa@git.mail.kapsi.fi>2016-06-06 21:01:22 +0300
commitbb52a7a3e1802a65e2347f3a7a48c6fb3bdc47e4 (patch)
tree9eb0e6425a068a5619ac53b6b733384c2e4edcb2
parent3af7d0910b9660a270aa3279716596c7d7711671 (diff)
Protect against corrupted _count fields in pb_release().
Fixes a potential security issue (#205). Only relevant if the user code writes untrusted data to _count fields, but this is allowed as per the security model.
-rw-r--r--pb_decode.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/pb_decode.c b/pb_decode.c
index 1699091c..78911e7b 100644
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -1035,6 +1035,12 @@ static void pb_release_single_field(const pb_field_iter_t *iter)
if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
{
count = *(pb_size_t*)iter->pSize;
+
+ if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)
+ {
+ /* Protect against corrupted _count fields */
+ count = iter->pos->array_size;
+ }
}
if (pItem)