diff options
author | Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2020-01-20 20:49:44 +0300 |
---|---|---|
committer | Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2020-01-20 20:59:13 +0300 |
commit | 2519119babea9e16ce5b14af50f87b4707865e8d (patch) | |
tree | 2c1384b4b5eb366570df2a4db9de2bc7653f8dcf /pb_decode.c | |
parent | e397e3efacaeab1bc6cacc0dfdc259768aebfd8e (diff) |
Verify stream size before allocating string / bytes.
This stops ridicuously large mallocs from getting through
on length-limited streams or buffers. Typically you should
also override realloc() to limit allocation size yourself
if dealing with untrusted data in pointer mode, but this
at least limits the potential denial-of-service attacks.
Diffstat (limited to 'pb_decode.c')
-rw-r--r-- | pb_decode.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/pb_decode.c b/pb_decode.c index e2574d7..5085d20 100644 --- a/pb_decode.c +++ b/pb_decode.c @@ -1522,6 +1522,9 @@ static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_iter_t #ifndef PB_ENABLE_MALLOC PB_RETURN_ERROR(stream, "no malloc support"); #else + if (stream->bytes_left < size) + PB_RETURN_ERROR(stream, "end-of-stream"); + if (!allocate_field(stream, field->pData, alloc_size, 1)) return false; dest = *(pb_bytes_array_t**)field->pData; @@ -1561,6 +1564,9 @@ static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_iter_ #ifndef PB_ENABLE_MALLOC PB_RETURN_ERROR(stream, "no malloc support"); #else + if (stream->bytes_left < size) + PB_RETURN_ERROR(stream, "end-of-stream"); + if (!allocate_field(stream, field->pData, alloc_size, 1)) return false; dest = *(pb_byte_t**)field->pData; |