You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ac...@apache.org on 2018/04/10 21:17:21 UTC
[27/55] [abbrv] qpid-proton git commit: PROTON-1414: Fix fuzzer found
read past buffer end
PROTON-1414: Fix fuzzer found read past buffer end
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/f66a9701
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/f66a9701
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/f66a9701
Branch: refs/heads/go1
Commit: f66a970196ee0aa58a38daf8ada94ca1a0ecb862
Parents: 99b1d7f
Author: Andrew Stitcher <as...@apache.org>
Authored: Thu Mar 22 00:06:27 2018 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Thu Mar 22 02:18:42 2018 -0400
----------------------------------------------------------------------
proton-c/src/core/decoder.c | 2 ++
.../minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba | 1 +
tests/python/proton_tests/sasl.py | 2 +-
3 files changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/proton-c/src/core/decoder.c
----------------------------------------------------------------------
diff --git a/proton-c/src/core/decoder.c b/proton-c/src/core/decoder.c
index fc01767..f56b275 100644
--- a/proton-c/src/core/decoder.c
+++ b/proton-c/src/core/decoder.c
@@ -368,6 +368,7 @@ static int pni_decoder_decode_value(pn_decoder_t *decoder, pn_data_t *data, uint
case PNE_MAP8:
if (pn_decoder_remaining(decoder) < 2) return PN_UNDERFLOW;
size = pn_decoder_readf8(decoder);
+ if (pn_decoder_remaining(decoder) < size) return PN_UNDERFLOW;
count = pn_decoder_readf8(decoder);
break;
case PNE_ARRAY32:
@@ -375,6 +376,7 @@ static int pni_decoder_decode_value(pn_decoder_t *decoder, pn_data_t *data, uint
case PNE_MAP32:
if (pn_decoder_remaining(decoder) < 8) return PN_UNDERFLOW;
size = pn_decoder_readf32(decoder);
+ if (pn_decoder_remaining(decoder) < size) return PN_UNDERFLOW;
count = pn_decoder_readf32(decoder);
break;
default:
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
----------------------------------------------------------------------
diff --git a/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba b/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
new file mode 100644
index 0000000..3de6476
--- /dev/null
+++ b/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
@@ -0,0 +1 @@
+��
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/tests/python/proton_tests/sasl.py
----------------------------------------------------------------------
diff --git a/tests/python/proton_tests/sasl.py b/tests/python/proton_tests/sasl.py
index e916229..804c828 100644
--- a/tests/python/proton_tests/sasl.py
+++ b/tests/python/proton_tests/sasl.py
@@ -224,7 +224,7 @@ class SaslTest(Test):
out = self.t1.peek(1024)
self.t1.pop(len(out))
- self.t1.push(str2bin("6\x02\x01\x00\x00\x00S@\xc04\x01\xe01\x04\xa3\x05PLAIN\x0aDIGEST-MD5\x09ANONYMOUS\x08CRAM-MD5"))
+ self.t1.push(str2bin("6\x02\x01\x00\x00\x00S@\xc0\x29\x01\xe0\x26\x04\xa3\x05PLAIN\x0aDIGEST-MD5\x09ANONYMOUS\x08CRAM-MD5"))
out = self.t1.peek(1024)
self.t1.pop(len(out))
self.t1.push(str2bin("\x00\x00\x00\x10\x02\x01\x00\x00\x00SD\xc0\x03\x01P\x00"))
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org