bblanchon/ArduinoJson
1
0
Fork 1
mirror of https://github.com/bblanchon/ArduinoJson.git synced 2025-11-08 02:21:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix integer overflow in MsgPackDeserializer

Browse Source
This commit is contained in:
Benoit Blanchon
2024-06-08 18:49:42 +02:00
parent 45611924f3
commit 208e7a3304
4 changed files with 42 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/ArduinoJson/Memory/StringNode.hpp
View File

@@ -35,8 +35,10 @@ struct StringNode {
static StringNode* create(size_t length, Allocator* allocator) {
if (length > maxLength)
return nullptr;
auto node = reinterpret_cast<StringNode*>(
allocator->allocate(sizeForLength(length)));
auto size = sizeForLength(length);
if (size < length) // integer overflow
return nullptr; // (not testable on 64-bit)
auto node = reinterpret_cast<StringNode*>(allocator->allocate(size));
if (node) {
node->length = length_type(length);
node->references = 1;

13
src/ArduinoJson/MsgPack/MsgPackDeserializer.hpp
View File

@@ -198,8 +198,13 @@ class MsgPackDeserializer {
if (err)
return err;
uint32_t size32 = 0;
for (size_t i = 0; i < sizeBytes; i++)
size = (size << 8) | header[i + 1];
size32 = (size32 << 8) | header[i + 1];
size = size_t(size32);
if (size < size32) // integer overflow
return DeserializationError::NoMemory; // (not testable on 32/64-bit)
}
// array 16, 32 and fixarray
@@ -366,7 +371,11 @@ class MsgPackDeserializer {
DeserializationError::Code readRawString(VariantData* variant,
const void* header,
uint8_t headerSize, size_t n) {
char* p = stringBuffer_.reserve(headerSize + n);
auto totalSize = size_t(headerSize + n);
if (totalSize < n) // integer overflow
return DeserializationError::NoMemory; // (not testable on 64-bit)
char* p = stringBuffer_.reserve(totalSize);
if (!p)
return DeserializationError::NoMemory;