Skip to content
Permalink
Browse files

SECURITY: Integer underflow in pointer validation.

  • Loading branch information
kentonv committed Feb 28, 2015
1 parent f343f0d commit 26bcceda72372211063d62aab7e45665faa83633
Showing with 8 additions and 2 deletions.
  1. +8 −2 c++/src/capnp/layout.c++
@@ -1430,6 +1430,7 @@ struct WireHelpers {
WirePointer* ref, word* refTarget, SegmentBuilder* segment,
const void* defaultValue, ByteCount defaultSize)) {
if (ref->isNull()) {
useDefault:
if (defaultSize == 0 * BYTES) {
return nullptr;
} else {
@@ -1439,14 +1440,19 @@ struct WireHelpers {
}
} else {
word* ptr = followFars(ref, refTarget, segment);
char* cptr = reinterpret_cast<char*>(ptr);

KJ_REQUIRE(ref->kind() == WirePointer::LIST,
"Called getText{Field,Element}() but existing pointer is not a list.");
KJ_REQUIRE(ref->listRef.elementSize() == ElementSize::BYTE,
"Called getText{Field,Element}() but existing list pointer is not byte-sized.");

// Subtract 1 from the size for the NUL terminator.
return Text::Builder(reinterpret_cast<char*>(ptr), ref->listRef.elementCount() / ELEMENTS - 1);
size_t size = ref->listRef.elementCount() / ELEMENTS;
KJ_REQUIRE(size > 0 && cptr[size-1] == '\0', "Text blob missing NUL terminator.") {
goto useDefault;
}

return Text::Builder(cptr, size - 1);
}
}

0 comments on commit 26bcced

Please sign in to comment.
You can’t perform that action at this time.