diff options
| author | Shawn Willden <swillden@google.com> | 2021-06-30 16:32:49 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-06-30 16:32:49 +0000 |
| commit | 8ca1ad02f8e03e7e0a00cfbffb34697245d5709c (patch) | |
| tree | 8bcb0df1a7c37156c8d3de44d2ca11bcb152dcea | |
| parent | 2521e189bbcc21de7a3ec1dfdc1ee32d515b2539 (diff) | |
| parent | 4907264bdcc3da0477bb5648e55c07705e2793ba (diff) | |
| download | libcppbor-8ca1ad02f8e03e7e0a00cfbffb34697245d5709c.tar.gz | |
Check for integer overflow in cppbor::parseRecursively. am: 4907264bdc
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/libcppbor/+/15110385
Change-Id: Ice7fdf01bd8dfd21188cb2f0385b5bba1b6c4a00
| -rw-r--r-- | src/cppbor_parse.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/cppbor_parse.cpp b/src/cppbor_parse.cpp index f5e8fcf..964a72d 100644 --- a/src/cppbor_parse.cpp +++ b/src/cppbor_parse.cpp @@ -96,7 +96,8 @@ std::tuple<const uint8_t*, ParseClient*> handleString(uint64_t length, const uin const uint8_t* valueBegin, const uint8_t* end, const std::string& errLabel, ParseClient* parseClient) { - if (end - valueBegin < static_cast<ssize_t>(length)) { + ssize_t signed_length = static_cast<ssize_t>(length); + if (end - valueBegin < signed_length || signed_length < 0) { parseClient->error(hdrBegin, insufficientLengthString(length, end - valueBegin, errLabel)); return {hdrBegin, nullptr /* end parsing */}; } |