Produce error when DefBuffer is larger than its size

This was picked up by fuzzing.
rust-osdev · Dec 30, 2020 · 4286dfc · 4286dfc
1 parent f19e043
commit 4286dfc
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/aml/src/lib.rs b/aml/src/lib.rs
@@ -621,6 +621,8 @@ pub enum AmlError {
     InvalidRegionSpace(u8),
     /// Produced when a `DefPackage` contains a different number of elements to the package's length.
     InvalidPackage,
+    /// Produced when a `DefBuffer` contains more bytes that its size.
+    MalformedBuffer,
     /// Emitted by a parser when it's clear that the stream doesn't encode the object parsed by
     /// that parser (e.g. the wrong opcode starts the stream). This is handled specially by some
     /// parsers such as `or` and `choice!`.

diff --git a/aml/src/type2.rs b/aml/src/type2.rs
@@ -102,6 +102,11 @@ where
             pkg_length().then(term_arg()).feed(|(pkg_length, buffer_size)| {
                 take_to_end_of_pkglength(pkg_length).map_with_context(move |bytes, context| {
                     let buffer_size = try_with_context!(context, buffer_size.as_integer(context)) as usize;
+
+                    if buffer_size < bytes.len() {
+                        return (Err(AmlError::MalformedBuffer), context);
+                    }
+
                     let mut buffer = vec![0; buffer_size];
                     buffer.copy_from_slice(bytes);
                     (Ok(buffer), context)