Skip to content

Commit 4286dfc

Browse files
committed
Produce error when DefBuffer is larger than its size
This was picked up by fuzzing.
1 parent f19e043 commit 4286dfc

File tree

2 files changed

+7
-0
lines changed

2 files changed

+7
-0
lines changed

aml/src/lib.rs

+2
Original file line numberDiff line numberDiff line change
@@ -621,6 +621,8 @@ pub enum AmlError {
621621
InvalidRegionSpace(u8),
622622
/// Produced when a `DefPackage` contains a different number of elements to the package's length.
623623
InvalidPackage,
624+
/// Produced when a `DefBuffer` contains more bytes that its size.
625+
MalformedBuffer,
624626
/// Emitted by a parser when it's clear that the stream doesn't encode the object parsed by
625627
/// that parser (e.g. the wrong opcode starts the stream). This is handled specially by some
626628
/// parsers such as `or` and `choice!`.

aml/src/type2.rs

+5
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,11 @@ where
102102
pkg_length().then(term_arg()).feed(|(pkg_length, buffer_size)| {
103103
take_to_end_of_pkglength(pkg_length).map_with_context(move |bytes, context| {
104104
let buffer_size = try_with_context!(context, buffer_size.as_integer(context)) as usize;
105+
106+
if buffer_size < bytes.len() {
107+
return (Err(AmlError::MalformedBuffer), context);
108+
}
109+
105110
let mut buffer = vec![0; buffer_size];
106111
buffer.copy_from_slice(bytes);
107112
(Ok(buffer), context)

0 commit comments

Comments
 (0)