Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Integer underflow in pointer validation.
  • Loading branch information
kentonv committed Mar 2, 2015
1 parent f343f0d commit 26bcced
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions c++/src/capnp/layout.c++
Expand Up @@ -1430,6 +1430,7 @@ struct WireHelpers {
WirePointer* ref, word* refTarget, SegmentBuilder* segment,
const void* defaultValue, ByteCount defaultSize)) {
if (ref->isNull()) {
useDefault:
if (defaultSize == 0 * BYTES) {
return nullptr;
} else {
Expand All @@ -1439,14 +1440,19 @@ struct WireHelpers {
}
} else {
word* ptr = followFars(ref, refTarget, segment);
char* cptr = reinterpret_cast<char*>(ptr);

KJ_REQUIRE(ref->kind() == WirePointer::LIST,
"Called getText{Field,Element}() but existing pointer is not a list.");
KJ_REQUIRE(ref->listRef.elementSize() == ElementSize::BYTE,
"Called getText{Field,Element}() but existing list pointer is not byte-sized.");

// Subtract 1 from the size for the NUL terminator.
return Text::Builder(reinterpret_cast<char*>(ptr), ref->listRef.elementCount() / ELEMENTS - 1);
size_t size = ref->listRef.elementCount() / ELEMENTS;
KJ_REQUIRE(size > 0 && cptr[size-1] == '\0', "Text blob missing NUL terminator.") {
goto useDefault;
}

return Text::Builder(cptr, size - 1);
}
}

Expand Down

0 comments on commit 26bcced

Please sign in to comment.