summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--tests/fuzztest/fuzztest.c1
-rw-r--r--tests/regression/issue_205/SConscript14
-rw-r--r--tests/regression/issue_205/size_corruption.c12
-rw-r--r--tests/regression/issue_205/size_corruption.proto11
4 files changed, 38 insertions, 0 deletions
diff --git a/tests/fuzztest/fuzztest.c b/tests/fuzztest/fuzztest.c
index d3701724..ee851ec0 100644
--- a/tests/fuzztest/fuzztest.c
+++ b/tests/fuzztest/fuzztest.c
@@ -192,6 +192,7 @@ static bool do_static_encode(uint8_t *buffer, size_t *msglen)
assert(stream.bytes_written <= alltypes_static_AllTypes_size);
*msglen = stream.bytes_written;
+ pb_release(alltypes_static_AllTypes_fields, msg);
free_with_check(msg);
return status;
diff --git a/tests/regression/issue_205/SConscript b/tests/regression/issue_205/SConscript
new file mode 100644
index 00000000..ed8899dd
--- /dev/null
+++ b/tests/regression/issue_205/SConscript
@@ -0,0 +1,14 @@
+# Check that pb_release() correctly handles corrupted size fields of
+# static arrays.
+
+Import('env', 'malloc_env')
+
+env.NanopbProto('size_corruption')
+
+p = malloc_env.Program(["size_corruption.c",
+ "size_corruption.pb.c",
+ "$COMMON/pb_decode_with_malloc.o",
+ "$COMMON/pb_common_with_malloc.o",
+ "$COMMON/malloc_wrappers.o"])
+env.RunTest(p)
+
diff --git a/tests/regression/issue_205/size_corruption.c b/tests/regression/issue_205/size_corruption.c
new file mode 100644
index 00000000..08cef457
--- /dev/null
+++ b/tests/regression/issue_205/size_corruption.c
@@ -0,0 +1,12 @@
+#include "size_corruption.pb.h"
+#include <pb_decode.h>
+
+int main()
+{
+ MainMessage msg = MainMessage_init_zero;
+ msg.bar_count = (pb_size_t)-1;
+ pb_release(MainMessage_fields, &msg);
+
+ return 0;
+}
+
diff --git a/tests/regression/issue_205/size_corruption.proto b/tests/regression/issue_205/size_corruption.proto
new file mode 100644
index 00000000..6c9c2453
--- /dev/null
+++ b/tests/regression/issue_205/size_corruption.proto
@@ -0,0 +1,11 @@
+syntax = "proto2";
+import 'nanopb.proto';
+
+message SubMessage {
+ repeated int32 foo = 1 [(nanopb).type = FT_POINTER];
+}
+
+message MainMessage {
+ repeated SubMessage bar = 1 [(nanopb).max_count = 5];
+}
+