Merge pull request #550 from redboltz/fix_cpp_array_of

Fixed array and map size overflow.
2026-01-10 16:08:37 +01:00 · 2016-12-29 13:23:13 +09:00
parent 9d37316b44 7e139125e2
commit b4f2acb945
2 changed files with 20 additions and 4 deletions
--- a/include/msgpack/v1/unpack.hpp
+++ b/include/msgpack/v1/unpack.hpp
@@ -203,7 +203,11 @@ struct unpack_array {
        if (n > u.limit().array()) throw msgpack::array_size_overflow("array size overflow");
        o.type = msgpack::type::ARRAY;
        o.via.array.size = 0;
-        o.via.array.ptr = static_cast<msgpack::object*>(u.zone().allocate_align(n*sizeof(msgpack::object)));
+        size_t size = n*sizeof(msgpack::object);
+        if (size / sizeof(msgpack::object) != n) {
+            throw msgpack::array_size_overflow("array size overflow");
+        }
+        o.via.array.ptr = static_cast<msgpack::object*>(u.zone().allocate_align(size));
    }
 };

@@ -221,7 +225,11 @@ struct unpack_map {
        if (n > u.limit().map()) throw msgpack::map_size_overflow("map size overflow");
        o.type = msgpack::type::MAP;
        o.via.map.size = 0;
-        o.via.map.ptr = static_cast<msgpack::object_kv*>(u.zone().allocate_align(n*sizeof(msgpack::object_kv)));
+        size_t size = n*sizeof(msgpack::object_kv);
+        if (size / sizeof(msgpack::object_kv) != n) {
+            throw msgpack::map_size_overflow("map size overflow");
+        }
+        o.via.map.ptr = static_cast<msgpack::object_kv*>(u.zone().allocate_align(size));
    }
 };

--- a/include/msgpack/v2/unpack.hpp
+++ b/include/msgpack/v2/unpack.hpp
@@ -215,8 +215,12 @@ public:
            obj->via.array.ptr = MSGPACK_NULLPTR;
        }
        else {
+            size_t size = num_elements*sizeof(msgpack::object);
+            if (size / sizeof(msgpack::object) != num_elements) {
+                throw msgpack::array_size_overflow("array size overflow");
+            }
            obj->via.array.ptr =
-                static_cast<msgpack::object*>(m_zone->allocate_align(num_elements*sizeof(msgpack::object)));
+                static_cast<msgpack::object*>(m_zone->allocate_align(size));
        }
        m_stack.push_back(obj->via.array.ptr);
        return true;
@@ -242,8 +246,12 @@ public:
            obj->via.map.ptr = MSGPACK_NULLPTR;
        }
        else {
+            size_t size = num_kv_pairs*sizeof(msgpack::object_kv);
+            if (size / sizeof(msgpack::object_kv) != num_kv_pairs) {
+                throw msgpack::map_size_overflow("map size overflow");
+            }
            obj->via.map.ptr =
-                static_cast<msgpack::object_kv*>(m_zone->allocate_align(num_kv_pairs*sizeof(msgpack::object_kv)));
+                static_cast<msgpack::object_kv*>(m_zone->allocate_align(size));
        }
        m_stack.push_back(reinterpret_cast<msgpack::object*>(obj->via.map.ptr));
        return true;