[27/28] qpid-proton git commit: PROTON-1414: Fix fuzzer found read past buffer end

[as...@apache.org]

PROTON-1414: Fix fuzzer found read past buffer end


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/f66a9701
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/f66a9701
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/f66a9701

Branch: refs/heads/master
Commit: f66a970196ee0aa58a38daf8ada94ca1a0ecb862
Parents: 99b1d7f
Author: Andrew Stitcher <as...@apache.org>
Authored: Thu Mar 22 00:06:27 2018 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Thu Mar 22 02:18:42 2018 -0400

----------------------------------------------------------------------
 proton-c/src/core/decoder.c                                        | 2 ++
 .../minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba        | 1 +
 tests/python/proton_tests/sasl.py                                  | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/proton-c/src/core/decoder.c
----------------------------------------------------------------------
diff --git a/proton-c/src/core/decoder.c b/proton-c/src/core/decoder.c
index fc01767..f56b275 100644
--- a/proton-c/src/core/decoder.c
+++ b/proton-c/src/core/decoder.c
@@ -368,6 +368,7 @@ static int pni_decoder_decode_value(pn_decoder_t *decoder, pn_data_t *data, uint
     case PNE_MAP8:
       if (pn_decoder_remaining(decoder) < 2) return PN_UNDERFLOW;
       size = pn_decoder_readf8(decoder);
+      if (pn_decoder_remaining(decoder) < size) return PN_UNDERFLOW;
       count = pn_decoder_readf8(decoder);
       break;
     case PNE_ARRAY32:
@@ -375,6 +376,7 @@ static int pni_decoder_decode_value(pn_decoder_t *decoder, pn_data_t *data, uint
     case PNE_MAP32:
       if (pn_decoder_remaining(decoder) < 8) return PN_UNDERFLOW;
       size = pn_decoder_readf32(decoder);
+      if (pn_decoder_remaining(decoder) < size) return PN_UNDERFLOW;
       count = pn_decoder_readf32(decoder);
       break;
     default:

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
----------------------------------------------------------------------
diff --git a/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba b/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
new file mode 100644
index 0000000..3de6476
--- /dev/null
+++ b/proton-c/src/tests/fuzz/fuzz-message-decode/minimized-from-6bdd20e31278a9c00b966db0a4e1b2dd412fdfba
@@ -0,0 +1 @@
+��
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/f66a9701/tests/python/proton_tests/sasl.py
----------------------------------------------------------------------
diff --git a/tests/python/proton_tests/sasl.py b/tests/python/proton_tests/sasl.py
index e916229..804c828 100644
--- a/tests/python/proton_tests/sasl.py
+++ b/tests/python/proton_tests/sasl.py
@@ -224,7 +224,7 @@ class SaslTest(Test):
     out = self.t1.peek(1024)
     self.t1.pop(len(out))
 
-    self.t1.push(str2bin("6\x02\x01\x00\x00\x00S@\xc04\x01\xe01\x04\xa3\x05PLAIN\x0aDIGEST-MD5\x09ANONYMOUS\x08CRAM-MD5"))
+    self.t1.push(str2bin("6\x02\x01\x00\x00\x00S@\xc0\x29\x01\xe0\x26\x04\xa3\x05PLAIN\x0aDIGEST-MD5\x09ANONYMOUS\x08CRAM-MD5"))
     out = self.t1.peek(1024)
     self.t1.pop(len(out))
     self.t1.push(str2bin("\x00\x00\x00\x10\x02\x01\x00\x00\x00SD\xc0\x03\x01P\x00"))


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org