diff options
author | Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2017-03-12 12:18:32 +0200 |
---|---|---|
committer | Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2017-03-12 12:18:32 +0200 |
commit | 44e559d9ce74855bd48d8050ab6cf6391b980239 (patch) | |
tree | 81eb324b8dfd451e9ad1dc227985bd14a6d94a19 /pb_decode.c | |
parent | 459d9cf45c7a47e6fd034a134cc7653db82e8fe8 (diff) |
Fix potential out-of-bounds read with more than 64 required fields
Diffstat (limited to 'pb_decode.c')
-rw-r--r-- | pb_decode.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/pb_decode.c b/pb_decode.c index e2e90caa..06d766af 100644 --- a/pb_decode.c +++ b/pb_decode.c @@ -934,6 +934,9 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[ if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0) req_field_count++; + if (req_field_count > PB_MAX_REQUIRED_FIELDS) + req_field_count = PB_MAX_REQUIRED_FIELDS; + if (req_field_count > 0) { /* Check the whole words */ @@ -943,9 +946,15 @@ bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[ PB_RETURN_ERROR(stream, "missing required field"); } - /* Check the remaining bits */ - if (fields_seen[req_field_count >> 5] != (allbits >> (32 - (req_field_count & 31)))) - PB_RETURN_ERROR(stream, "missing required field"); + /* Check the remaining bits (if any) */ + if ((req_field_count & 31) != 0) + { + if (fields_seen[req_field_count >> 5] != + (allbits >> (32 - (req_field_count & 31)))) + { + PB_RETURN_ERROR(stream, "missing required field"); + } + } } } |