heap-buffer-overflow in BerEncoder_encodeLength of /src/libiec61850/src/mms/asn1/ber_encoder.c

[aT0ngMu]

A heap-buffer-overflow has occurred when running program, this can reproduce on the latest commit.

version
v1.5

Verification steps
build_run.log
build_run.log

error message
error_message.log
error_message.log

reproduce code

#include <fuzzer/FuzzedDataProvider.h>
#include "mms_value.h"
#include <cstdlib>

extern "C" {
    int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
        FuzzedDataProvider stream(data, size);

        MmsValue* value = MmsValue_new(); // Use MmsValue_new to create a new MmsValue object
        int8_t int_value = stream.ConsumeIntegral<int8_t>(); // Consume an int8_t value from the fuzzer input
        _Bool flag = stream.ConsumeBool();

        MmsValue_setInt8(value, int_value); // Use MmsValue_setInt8 to set the integer value in the MmsValue object
        uint8_t* encoded_data = nullptr;
        int encoded_size = 0;

        // Call MmsValue_encodeMmsData with non-null input for encoded_data
        int result = MmsValue_encodeMmsData(value, &encoded_data, &encoded_size, flag);

        MmsValue_delete(value); // Delete the MmsValue object

        if (encoded_data != nullptr) {
            free(encoded_data); // Free the allocated memory for encoded_data
        }

        return 0;
    }
}

[mzillgith]

I think there is a misunderstanding how the function works.
The buffer and bufPos parameters are not output parameters but they have to point to a buffer with enough space to encode the data.