diff options
author | Shawn Willden <swillden@google.com> | 2021-06-30 16:44:06 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-06-30 16:44:06 +0000 |
commit | 9821e3c1ce118cbd69620caa15f4f82c86da5793 (patch) | |
tree | 8bcb0df1a7c37156c8d3de44d2ca11bcb152dcea | |
parent | a11b046c2fd614802a169a028cf3467557ba7b3a (diff) | |
parent | 8ca1ad02f8e03e7e0a00cfbffb34697245d5709c (diff) | |
download | libcppbor-9821e3c1ce118cbd69620caa15f4f82c86da5793.tar.gz |
Check for integer overflow in cppbor::parseRecursively. am: 4907264bdc am: 8ca1ad02f8
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/libcppbor/+/15110385
Change-Id: Ibdc7d6fa7ca11d69f401d583a1a3448c4ebbe1d2
-rw-r--r-- | src/cppbor_parse.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/cppbor_parse.cpp b/src/cppbor_parse.cpp index f5e8fcf..964a72d 100644 --- a/src/cppbor_parse.cpp +++ b/src/cppbor_parse.cpp @@ -96,7 +96,8 @@ std::tuple<const uint8_t*, ParseClient*> handleString(uint64_t length, const uin const uint8_t* valueBegin, const uint8_t* end, const std::string& errLabel, ParseClient* parseClient) { - if (end - valueBegin < static_cast<ssize_t>(length)) { + ssize_t signed_length = static_cast<ssize_t>(length); + if (end - valueBegin < signed_length || signed_length < 0) { parseClient->error(hdrBegin, insufficientLengthString(length, end - valueBegin, errLabel)); return {hdrBegin, nullptr /* end parsing */}; } |