Verify stream size before allocating string / bytes.

This stops ridicuously large mallocs from getting through on length-limited streams or buffers. Typically you should also override realloc() to limit allocation size yourself if dealing with untrusted data in pointer mode, but this at least limits the potential denial-of-service attacks.
author: Petteri Aimonen <jpa@git.mail.kapsi.fi> 2020-01-20 20:49:44 +0300
committer: Petteri Aimonen <jpa@git.mail.kapsi.fi> 2020-01-20 20:59:13 +0300
commit: 2519119babea9e16ce5b14af50f87b4707865e8d (patch)
tree: 2c1384b4b5eb366570df2a4db9de2bc7653f8dcf /pb_decode.c
parent: e397e3efacaeab1bc6cacc0dfdc259768aebfd8e (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/pb_decode.c b/pb_decode.c
index e2574d7..5085d20 100644
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -1522,6 +1522,9 @@ static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_iter_t
 #ifndef PB_ENABLE_MALLOC
         PB_RETURN_ERROR(stream, "no malloc support");
 #else
+        if (stream->bytes_left < size)
+            PB_RETURN_ERROR(stream, "end-of-stream");
+
         if (!allocate_field(stream, field->pData, alloc_size, 1))
             return false;
         dest = *(pb_bytes_array_t**)field->pData;
@@ -1561,6 +1564,9 @@ static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_iter_
 #ifndef PB_ENABLE_MALLOC
         PB_RETURN_ERROR(stream, "no malloc support");
 #else
+        if (stream->bytes_left < size)
+            PB_RETURN_ERROR(stream, "end-of-stream");
+
         if (!allocate_field(stream, field->pData, alloc_size, 1))
             return false;
         dest = *(pb_byte_t**)field->pData;
author	Petteri Aimonen <jpa@git.mail.kapsi.fi>	2020-01-20 20:49:44 +0300
committer	Petteri Aimonen <jpa@git.mail.kapsi.fi>	2020-01-20 20:59:13 +0300
commit	2519119babea9e16ce5b14af50f87b4707865e8d (patch)
tree	2c1384b4b5eb366570df2a4db9de2bc7653f8dcf /pb_decode.c
parent	e397e3efacaeab1bc6cacc0dfdc259768aebfd8e (diff)