diff options
author | David Benjamin <davidben@google.com> | 2016-07-26 15:28:44 +0300 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2016-07-26 18:19:41 +0300 |
commit | 4ff41f614cd90e947957cc63a3c7ca2372c1a45d (patch) | |
tree | f9fca22865076c56094a2974d017fe21ed53ca33 /crypto | |
parent | d067e4ce0d0a8b033ccf5590bdeace15df504b6c (diff) |
Check for overflow in CBB_add_u24.
All other CBB_add_u<N> functions take a narrowed type, but not every
uint32_t may fit in a u24. Check for this rather than silently truncate.
Change-Id: I23879ad0f4d2934f257e39e795cf93c6e3e878bf
Reviewed-on: https://boringssl-review.googlesource.com/8940
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/bytestring/bytestring_test.cc | 18 | ||||
-rw-r--r-- | crypto/bytestring/cbb.c | 6 |
2 files changed, 24 insertions, 0 deletions
diff --git a/crypto/bytestring/bytestring_test.cc b/crypto/bytestring/bytestring_test.cc index 5441da77..9ab2c0c2 100644 --- a/crypto/bytestring/bytestring_test.cc +++ b/crypto/bytestring/bytestring_test.cc @@ -852,6 +852,24 @@ static bool TestStickyError() { return false; } + // Write a u32 that cannot fit in a u24. + cbb.Reset(); + if (!CBB_init(cbb.get(), 0)) { + return false; + } + + if (CBB_add_u24(cbb.get(), 1u << 24)) { + fprintf(stderr, "CBB_add_u24 unexpectedly succeeded.\n"); + return false; + } + + // All future operations should fail. + if (CBB_add_u8(cbb.get(), 0) || + CBB_finish(cbb.get(), &ptr, &len)) { + fprintf(stderr, "Future operations unexpectedly succeeded.\n"); + return false; + } + return true; } diff --git a/crypto/bytestring/cbb.c b/crypto/bytestring/cbb.c index 9b38a6b1..ff2bc361 100644 --- a/crypto/bytestring/cbb.c +++ b/crypto/bytestring/cbb.c @@ -156,6 +156,12 @@ static int cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v, buf[i] = v; v >>= 8; } + + if (v != 0) { + base->error = 1; + return 0; + } + return 1; } |