github/open62541
7
0
Fork 0
mirror of https://github.com/open62541/open62541.git synced 2025-06-03 04:00:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(core): Validate Variant ArrayLength against its ArrayDimensions during binary decode

Browse Source 
This lead to the fuzzer complaing since we hade the check for _encode
but not for _decode. This is not a direct memory issue per se. But the
consistency check allows early discovery of problematic values and
can potentially remove bugs where the user relies on the array
dimensions and the array length to match.
This commit is contained in:
Julius Pfrommer 2024-10-22 21:47:15 +02:00 committed by Julius Pfrommer
parent db91b23259
commit b947352762
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/ua_types_encoding_binary.c
View File

@ -1093,9 +1093,18 @@ DECODE_BINARY(Variant) {
}
/* Decode array dimensions */
if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0)
if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) {
ret |= Array_decodeBinary((void**)&dst->arrayDimensions, &dst->arrayDimensionsSize,
&UA_TYPES[UA_TYPES_INT32], ctx);
/* Validate array length against array dimensions */
size_t totalSize = 1;
for(size_t i = 0; i < dst->arrayDimensionsSize; ++i) {
if(dst->arrayDimensions[i] == 0)
return UA_STATUSCODE_BADDECODINGERROR;
totalSize *= dst->arrayDimensions[i];
}
UA_CHECK(totalSize == dst->arrayLength, ret = UA_STATUSCODE_BADDECODINGERROR);
}
ctx->depth--;
return ret;