decoder: add slice len bounds checks

gagliardetto · Aug 20, 2022 · f999127 · f999127
1 parent 990fbf1
commit f999127
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/decoder_bin.go b/decoder_bin.go
@@ -20,6 +20,7 @@ package bin
 import (
 	"encoding/binary"
 	"fmt"
+	"io"
 	"reflect"
 
 	"go.uber.org/zap"
@@ -181,6 +182,10 @@ func (dec *Decoder) decodeBin(rv reflect.Value, opt *option) (err error) {
 			zlog.Debug("reading slice", zap.Int("len", l), typeField("type", rv))
 		}
 
+		if l > dec.Remaining() {
+			return io.ErrUnexpectedEOF
+		}
+
 		rv.Set(reflect.MakeSlice(rt, l, l))
 		for i := 0; i < l; i++ {
 			if err = dec.decodeBin(rv.Index(i), nil); err != nil {

diff --git a/decoder_borsh.go b/decoder_borsh.go
@@ -20,6 +20,7 @@ package bin
 import (
 	"errors"
 	"fmt"
+	"io"
 	"reflect"
 
 	"go.uber.org/zap"
@@ -200,6 +201,9 @@ func (dec *Decoder) decodeBorsh(rv reflect.Value, opt *option) (err error) {
 			// Empty slices are left nil
 			return
 		}
+		if l > dec.Remaining() {
+			return io.ErrUnexpectedEOF
+		}
 
 		rv.Set(reflect.MakeSlice(rt, l, l))
 		for i := 0; i < l; i++ {

diff --git a/decoder_compact-u16.go b/decoder_compact-u16.go
@@ -19,6 +19,7 @@ package bin
 
 import (
 	"fmt"
+	"io"
 	"reflect"
 
 	"go.uber.org/zap"
@@ -179,6 +180,10 @@ func (dec *Decoder) decodeCompactU16(rv reflect.Value, opt *option) (err error)
 			zlog.Debug("reading slice", zap.Int("len", l), typeField("type", rv))
 		}
 
+		if l > dec.Remaining() {
+			return io.ErrUnexpectedEOF
+		}
+
 		rv.Set(reflect.MakeSlice(rt, l, l))
 		for i := 0; i < l; i++ {
 			if err = dec.decodeCompactU16(rv.Index(i), nil); err != nil {