decoder: add slice len bounds checks #6
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The decoder performs memory allocations based on untrusted length inputs while decoding slices.
This patch adds an upper constraint to the slice element count before calling
runtime.MakeSlice
in decoder.It also fixes an integer overflow bug that could result in negative slice lengths.
Rationale: We assume each slice element is at least 1 byte large 1 Thus, for a valid encoding, the number of bytes remaining must be greater or equal to the number of slice elements. If there are less bytes remaining than the slice element count indicates, we would eventually try to read past the buffer and trip on
io.ErrUnexpectedEOF
. Thus we can safely bail early without actually deserializing slice elements.1 A slice element can reasonably only be zero bytes if all other elements are also zero bytes (ignoring custom
UnmarshalWithDecoder
). Zero size slices are rare and should be represented as a single varint instead anyways.Fixes gagliardetto/solana-go#95