Check for out-of-bounds bencoded lengths before advancing buffer pointer

bittorrent · Jun 29, 2015 · e809ea8 · e809ea8
1 parent bbc0b71
commit e809ea8
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/lazy_bdecode.cpp b/lazy_bdecode.cpp
@@ -150,7 +150,9 @@ namespace libtorrent
 					if (e)
 						TORRENT_FAIL_BDECODE(e);
 
-					if (start + len + 1 > end)
+					// remaining buffer size excluding ':'
+					const ptrdiff_t buff_size = end - start - 1;
+					if (len > buff_size)
 						TORRENT_FAIL_BDECODE(bdecode_errors::unexpected_eof);
 
 					if (len < 0)
@@ -216,12 +218,16 @@ namespace libtorrent
 					start = parse_int(start, end, ':', len, e);
 					if (e)
 						TORRENT_FAIL_BDECODE(e);
-					if (start + len + 1 > end)
+
+					// remaining buffer size excluding ':'
+					const ptrdiff_t buff_size = end - start - 1;
+					if (len > buff_size)
 						TORRENT_FAIL_BDECODE(bdecode_errors::unexpected_eof);
 					if (len < 0)
 						TORRENT_FAIL_BDECODE(bdecode_errors::overflow);
 
 					++start;
+					if (start == end) TORRENT_FAIL_BDECODE(bdecode_errors::unexpected_eof);
 					top->construct_string(start, int(len));
 					stack.pop_back();
 					start += len;