fuzzing: reject out-of-bounds unbox slot numbers

MoarVM · Apr 18, 2019 · 8fef199 · 8fef199
1 parent 6544179
commit 8fef199
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/6model/reprs/P6opaque.c b/src/6model/reprs/P6opaque.c
@@ -1035,8 +1035,12 @@ static void deserialize_repr_data(MVMThreadContext *tc, MVMSTable *st, MVMSerial
         for (i = 0; i < repr_data->num_attributes; i++) {
             MVMuint16 repr_id = MVM_serialization_read_int(tc, reader);
             MVMuint16 slot = MVM_serialization_read_int(tc, reader);
+            if (slot > repr_data->num_attributes)
+                MVM_exception_throw_adhoc(tc, "Serialization error: P6opaque's unbox slot out of range (slot %d > %d attributes).", slot, repr_data->num_attributes);
             if (repr_id < MVM_REPR_MAX_COUNT)
                 repr_data->unbox_slots[repr_id] = slot;
+            else
+                MVM_exception_throw_adhoc(tc, "Serialization error: P6opaque's unbox slot repr id out of range.");
         }
     } else {
         repr_data->unbox_slots = NULL;