Skip to content


Browse files Browse the repository at this point in the history
Produce error when DefBuffer is larger than its size
This was picked up by fuzzing.
  • Loading branch information
IsaacWoods committed Dec 30, 2020
1 parent f19e043 commit 4286dfc
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions aml/src/
Expand Up @@ -621,6 +621,8 @@ pub enum AmlError {
/// Produced when a `DefPackage` contains a different number of elements to the package's length.
/// Produced when a `DefBuffer` contains more bytes that its size.
/// Emitted by a parser when it's clear that the stream doesn't encode the object parsed by
/// that parser (e.g. the wrong opcode starts the stream). This is handled specially by some
/// parsers such as `or` and `choice!`.
Expand Down
5 changes: 5 additions & 0 deletions aml/src/
Expand Up @@ -102,6 +102,11 @@ where
pkg_length().then(term_arg()).feed(|(pkg_length, buffer_size)| {
take_to_end_of_pkglength(pkg_length).map_with_context(move |bytes, context| {
let buffer_size = try_with_context!(context, buffer_size.as_integer(context)) as usize;

if buffer_size < bytes.len() {
return (Err(AmlError::MalformedBuffer), context);

let mut buffer = vec![0; buffer_size];
(Ok(buffer), context)
Expand Down

0 comments on commit 4286dfc

Please sign in to comment.