Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Produce error when DefBuffer is larger than its size
This was picked up by fuzzing.
  • Loading branch information
IsaacWoods committed Dec 30, 2020
1 parent f19e043 commit 4286dfc
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions aml/src/lib.rs
Expand Up @@ -621,6 +621,8 @@ pub enum AmlError {
InvalidRegionSpace(u8),
/// Produced when a `DefPackage` contains a different number of elements to the package's length.
InvalidPackage,
/// Produced when a `DefBuffer` contains more bytes that its size.
MalformedBuffer,
/// Emitted by a parser when it's clear that the stream doesn't encode the object parsed by
/// that parser (e.g. the wrong opcode starts the stream). This is handled specially by some
/// parsers such as `or` and `choice!`.
Expand Down
5 changes: 5 additions & 0 deletions aml/src/type2.rs
Expand Up @@ -102,6 +102,11 @@ where
pkg_length().then(term_arg()).feed(|(pkg_length, buffer_size)| {
take_to_end_of_pkglength(pkg_length).map_with_context(move |bytes, context| {
let buffer_size = try_with_context!(context, buffer_size.as_integer(context)) as usize;

if buffer_size < bytes.len() {
return (Err(AmlError::MalformedBuffer), context);
}

let mut buffer = vec![0; buffer_size];
buffer.copy_from_slice(bytes);
(Ok(buffer), context)
Expand Down

0 comments on commit 4286dfc

Please sign in to comment.