generic-library/msgpack
1
0
Fork 0
mirror of https://github.com/msgpack/msgpack-c.git synced 2025-05-29 23:42:40 +02:00
Code Issues Projects Releases Wiki Activity

Change integer overflow check to conform with spec

Browse Source
This commit is contained in:
David LeBlanc 2019-05-06 17:29:40 -07:00
parent fadc615f4e
commit 2d54c0e918
1 changed files with 15 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/unpack.c
View File

@ -189,19 +189,17 @@ static inline int template_callback_false(unpack_user* u, msgpack_object* o)
static inline int template_callback_array(unpack_user* u, unsigned int n, msgpack_object* o) static inline int template_callback_array(unpack_user* u, unsigned int n, msgpack_object* o)
{ {
unsigned int size; // Let's leverage the fact that sizeof(msgpack_object) is a compile time constant
unsigned long long tmp; // to check for int overflows.
// Note - while n is constrained to 32-bit, the product of n * sizeof(msgpack_object)
// might not be constrained to 4GB on 64-bit systems
if( n > SIZE_MAX/sizeof(msgpack_object))
return MSGPACK_UNPACK_NOMEM_ERROR;
o->type = MSGPACK_OBJECT_ARRAY; o->type = MSGPACK_OBJECT_ARRAY;
o->via.array.size = 0; o->via.array.size = 0;
tmp = (unsigned long long)n * sizeof(msgpack_object);
if (tmp & 0xffffffff00000000) { size_t size = n * sizeof(msgpack_object);
// integer overflow
return MSGPACK_UNPACK_NOMEM_ERROR;
}
size = (unsigned int)tmp;
if (*u->z == NULL) { if (*u->z == NULL) {
*u->z = msgpack_zone_new(MSGPACK_ZONE_CHUNK_SIZE); *u->z = msgpack_zone_new(MSGPACK_ZONE_CHUNK_SIZE);
@ -230,19 +228,18 @@ static inline int template_callback_array_item(unpack_user* u, msgpack_object* c
static inline int template_callback_map(unpack_user* u, unsigned int n, msgpack_object* o) static inline int template_callback_map(unpack_user* u, unsigned int n, msgpack_object* o)
{ {
unsigned int size; // Let's leverage the fact that sizeof(msgpack_object_kv) is a compile time constant
unsigned long long tmp; // to check for int overflows
// Note - while n is constrained to 32-bit, the product of n * sizeof(msgpack_object)
// might not be constrained to 4GB on 64-bit systems
if(n > SIZE_MAX/sizeof(msgpack_object_kv))
return MSGPACK_UNPACK_NOMEM_ERROR;
o->type = MSGPACK_OBJECT_MAP; o->type = MSGPACK_OBJECT_MAP;
o->via.map.size = 0; o->via.map.size = 0;
tmp = (unsigned long long)n * sizeof(msgpack_object_kv);
if (tmp & 0xffffffff00000000) { size_t size = n * sizeof(msgpack_object_kv);
// integer overflow
return MSGPACK_UNPACK_NOMEM_ERROR;
}
size = (unsigned int)tmp;
if (*u->z == NULL) { if (*u->z == NULL) {
*u->z = msgpack_zone_new(MSGPACK_ZONE_CHUNK_SIZE); *u->z = msgpack_zone_new(MSGPACK_ZONE_CHUNK_SIZE);