Protect Hunks from invalid lengths

Grayson · Jan 30, 2020 · 1e01fb2 · 1e01fb2
1 parent a372299
commit 1e01fb2
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/Sources/ipspatcher/Hunk.swift b/Sources/ipspatcher/Hunk.swift
@@ -39,8 +39,13 @@ extension Hunk {
 
         let length = 5 + UInt16(slice[slice.startIndex + 3]) << 16 + UInt16(slice[slice.startIndex + 4])
         let payloadLength = length > 0 ? length : 3;
-        let bytes = Array<UInt8>(slice[ slice.startIndex ..< slice.startIndex + Int(payloadLength) ])
+        let predictedPaylodOffset = slice.startIndex + Int(payloadLength)
 
+        guard predictedPaylodOffset < slice.endIndex else {
+            return nil
+        }
+
+        let bytes = Array<UInt8>(slice[ slice.startIndex ..< predictedPaylodOffset ])
         return Hunk.from(bytes: bytes)
     }
 }
diff --git a/Tests/ipspatcherTests/HunkTests.swift b/Tests/ipspatcherTests/HunkTests.swift
@@ -34,4 +34,17 @@ final class HunkTests: XCTestCase {
         XCTAssertEqual(0x0002, hunk.RLELength)
         XCTAssertEqual(0xFF, hunk.RLEPayload)
     }
+
+    func testHunkWithIncorrectLength() {
+        let bytes: [UInt8] = [
+            0x01, 0x02, 0x03, /* Offset */
+            0x00, 0x02, /* Length */
+            0xFF /* Payload */
+        ]
+
+        bytes.withUnsafeBufferPointer {
+            let hunk = Hunk.from(slice: $0[ $0.startIndex ..< $0.endIndex ])
+            XCTAssertNil(hunk)
+        }
+    }
 }