diff options
| author |   Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2016-06-06 21:01:22 +0300 |
|---|---|---|
| committer | Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2016-06-06 21:01:22 +0300 |
| commit | bb52a7a3e1802a65e2347f3a7a48c6fb3bdc47e4 (patch) | |
| tree | 9eb0e6425a068a5619ac53b6b733384c2e4edcb2 /pb_decode.c | |
| parent | 3af7d0910b9660a270aa3279716596c7d7711671 (diff) | |
Protect against corrupted _count fields in pb_release().
Fixes a potential security issue (#205). Only relevant if the user
code writes untrusted data to _count fields, but this is allowed as
per the security model.
Diffstat (limited to 'pb_decode.c')
| -rw-r--r-- | pb_decode.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/pb_decode.c b/pb_decode.c index 1699091c..78911e7b 100644 --- a/pb_decode.c +++ b/pb_decode.c @@ -1035,6 +1035,12 @@ static void pb_release_single_field(const pb_field_iter_t *iter) if (PB_HTYPE(type) == PB_HTYPE_REPEATED) { count = *(pb_size_t*)iter->pSize; + + if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size) + { + /* Protect against corrupted _count fields */ + count = iter->pos->array_size; + } } if (pItem) |