Skip to content

Commit

Permalink
impl: fix incorrect subtraction in FrameDecoder
Browse files Browse the repository at this point in the history 
Previously, the code was assuming that we could always subtract
4 from the length, but the length is untrusted data. If an invalid
length is detected, we return an error instead.

Closes #29
  • Loading branch information
@BurntSushi
BurntSushi authored Jul 6, 2020
2 parents 1951d5d + 332294d commit 0afa07f
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 3 deletions.
5 changes: 2 additions & 3 deletions src/error.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,9 +153,8 @@ pub enum Error {
/// The chunk type byte that was read.
byte: u8,
},
/// This error occurs when trying to read a chunk with length greater than
/// that supported by this library when reading a Snappy frame formatted
/// stream.
/// This error occurs when trying to read a chunk with an unexpected or
/// incorrect length when reading a Snappy frame formatted stream.
/// This error only occurs when reading a Snappy frame formatted stream.
UnsupportedChunkLength {
/// The length of the chunk encountered.
Expand Down
12 changes: 12 additions & 0 deletions src/read.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,12 @@ impl<R: io::Read> io::Read for FrameDecoder<R> {
}
}
Ok(ChunkType::Uncompressed) => {
if len < 4 {
fail!(Error::UnsupportedChunkLength {
len: len as u64,
header: false,
});
}
let expected_sum = bytes::io_read_u32_le(&mut self.r)?;
let n = len - 4;
if n > self.dst.len() {
Expand All @@ -187,6 +193,12 @@ impl<R: io::Read> io::Read for FrameDecoder<R> {
self.dste = n;
}
Ok(ChunkType::Compressed) => {
if len < 4 {
fail!(Error::UnsupportedChunkLength {
len: len as u64,
header: false,
});
}
let expected_sum = bytes::io_read_u32_le(&mut self.r)?;
let sn = len - 4;
if sn > self.src.len() {
Expand Down

0 comments on commit 0afa07f

Please sign in to comment.