RUST-1564 Fix a fuzzer-found failure (crossterm-rs#396)

december1981 · Jan 12, 2023 · 3960c0a · 3960c0a
1 parent 0b218ab
commit 3960c0a
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/src/de/raw.rs b/src/de/raw.rs
@@ -511,14 +511,16 @@ impl<'d, 'de> DocumentAccess<'d, 'de> {
         F: FnOnce(&mut Self) -> Result<O>,
     {
         let start_bytes = self.root_deserializer.bytes.bytes_read();
-        let out = f(self);
+        let out = f(self)?;
         let bytes_read = self.root_deserializer.bytes.bytes_read() - start_bytes;
-        *self.length_remaining -= bytes_read as i32;
-
-        if *self.length_remaining < 0 {
+        let bytes_read: i32 = bytes_read
+            .try_into()
+            .map_err(|_| Error::custom("overflow in read size"))?;
+        if bytes_read > *self.length_remaining {
             return Err(Error::custom("length of document too short"));
         }
-        out
+        *self.length_remaining -= bytes_read;
+        Ok(out)
     }
 
     /// Read the next value from the document.

diff --git a/src/tests/serde.rs b/src/tests/serde.rs
@@ -1042,3 +1042,9 @@ fn oid_as_hex_string() {
     let doc = to_document(&foo).unwrap();
     assert_eq!(doc.get_str("oid").unwrap(), oid.to_hex());
 }
+
+#[test]
+fn fuzz_regression_00() {
+    let buf: &[u8] = &[227, 0, 35, 4, 2, 0, 255, 255, 255, 127, 255, 255, 255, 47];
+    let _ = crate::from_slice::<Document>(buf);
+}