refactor: Protect array unpacking against invalid lengths.

Each array element is at least 1 byte, so if there are fewer bytes than array elements, the array size is invalid.
TokTok · Apr 5, 2022 · 18a2211 · 18a2211
1 parent 3576df9
commit 18a2211
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
@@ -1 +1 @@
-b3fb4157d7fc6cd3455f40020bb6b69e5bab4bbdb6ce66d5bc7095146ba5a49e  /usr/local/bin/tox-bootstrapd
+1a7f608f49ca27f71c0da83e53536f30d547ea2e52bfb24bf17bf90388f5eeb0  /usr/local/bin/tox-bootstrapd
diff --git a/toxcore/bin_pack_test.cc b/toxcore/bin_pack_test.cc
@@ -122,4 +122,13 @@ TEST(BinPack, BinCanHoldArbitraryData)
     EXPECT_EQ(str, (std::array<uint8_t, 5>{'h', 'e', 'l', 'l', 'o'}));
 }
 
+TEST(BinPack, OversizedArrayFailsUnpack)
+{
+    std::array<uint8_t, 1> buf = {0x91};
+
+    Bin_Unpack_Ptr bu(bin_unpack_new(buf.data(), buf.size()));
+    uint32_t size;
+    EXPECT_FALSE(bin_unpack_array(bu.get(), &size));
+}
+
 }  // namespace
diff --git a/toxcore/bin_unpack.c b/toxcore/bin_unpack.c
@@ -70,7 +70,7 @@ void bin_unpack_free(Bin_Unpack *bu)
 
 bool bin_unpack_array(Bin_Unpack *bu, uint32_t *size)
 {
-    return cmp_read_array(&bu->ctx, size);
+    return cmp_read_array(&bu->ctx, size) && *size <= bu->bytes_size;
 }
 
 bool bin_unpack_array_fixed(Bin_Unpack *bu, uint32_t required_size)