From 0aa1dab94a4deff4940a39eafeefdc5d8f3a107e Mon Sep 17 00:00:00 2001
From: Petteri Aimonen <jpa@git.mail.kapsi.fi>
Date: Sat, 20 Mar 2021 09:44:31 +0200
Subject: Add testcase for #647: invalid free with oneof

---
 tests/regression/issue_647/SConscript  | 12 ++++++++++++
 tests/regression/issue_647/repro.c     | 16 ++++++++++++++++
 tests/regression/issue_647/repro.proto | 10 ++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 tests/regression/issue_647/SConscript
 create mode 100644 tests/regression/issue_647/repro.c
 create mode 100644 tests/regression/issue_647/repro.proto

(limited to 'tests')

diff --git a/tests/regression/issue_647/SConscript b/tests/regression/issue_647/SConscript
new file mode 100644
index 0000000..70eedf8
--- /dev/null
+++ b/tests/regression/issue_647/SConscript
@@ -0,0 +1,12 @@
+# Regression test for #647:
+# Ill-formed oneof message leads to calling free on an arbitrary pointer
+
+Import("env")
+
+env.NanopbProto("repro.proto")
+
+test = env.Program(["repro.c", "repro.pb.c",
+                    "$COMMON/pb_decode_with_malloc.o",
+                    "$COMMON/pb_common_with_malloc.o",
+                    "$COMMON/malloc_wrappers.o"])
+env.RunTest(test)
diff --git a/tests/regression/issue_647/repro.c b/tests/regression/issue_647/repro.c
new file mode 100644
index 0000000..48d9570
--- /dev/null
+++ b/tests/regression/issue_647/repro.c
@@ -0,0 +1,16 @@
+#include <pb_decode.h>
+#include <unittests.h>
+#include <malloc_wrappers.h>
+#include "repro.pb.h"
+
+int main() {
+  const uint8_t data[] = {0x08, 0x08, 0x2d};
+  int status = 0;
+  Repro repro = Repro_init_zero;
+
+  pb_istream_t stream = pb_istream_from_buffer(data, sizeof(data));
+  TEST(!pb_decode(&stream, Repro_fields, &repro));
+  TEST(get_alloc_count() == 0);
+
+  return status;
+}
diff --git a/tests/regression/issue_647/repro.proto b/tests/regression/issue_647/repro.proto
new file mode 100644
index 0000000..1fe7777
--- /dev/null
+++ b/tests/regression/issue_647/repro.proto
@@ -0,0 +1,10 @@
+syntax = "proto3";
+
+import "nanopb.proto";
+
+message Repro {
+  oneof value_type {
+    bool boolean_value = 1;
+    bytes bytes_value = 5 [(nanopb).type = FT_POINTER];
+  }
+}
-- 
cgit v1.2.3