fix: fix protobuf processing causing index out of range errors

dclayton-godaddy · dclayton-godaddy · commit d39d2c0d8001 · 2025-08-28T12:36:02.000-07:00
diff --git a/src/index.ts b/src/index.ts
@@ -37,6 +37,10 @@ class Reader {
   public next(len: number): number[] {
     const n = new Array();
     for (let i = 0; i < len; i++) {
+      // Stop reading if an error occurred
+      if (this.error) {
+        return n;
+      }
       n[i] = this.nextByte();
     }
     return n;
@@ -54,6 +58,11 @@ function readProtoVarInt(reader: Reader): number {
     if ((b & 0x80) === 0) {
       break;
     }
+    if (idx >= 10) {
+      // Varint can be between 1 and 10 bytes. This is too large.
+      reader.error = true;
+      break;
+    }
     idx++;
   }
 
diff --git a/test/fixtures/vai_script.txt b/test/fixtures/vai_script.txt
@@ -0,0 +1,3 @@
+ꕢꕎꕌ ꔖꔜꕯꕊ (1) ꕉꕜꕮ ꔔꘋ ꖸ ꔰ ꗋꘋ ꕮꕨ ꔔꘋ ꖸ ꕎ ꕉꖸꕊ ꕴꖃ ꕃꔤꘂ ꗱ, ꕉꖷ ꗪꗡ ꔻꔤ ꗏꗒꗡ ꕎ ꗪ ꕉꖸꕊ ꖏꕎ. ꕉꕡ ꖏ ꗳꕮꕊ ꗏ ꕪ ꗓ ꕉꖷ ꕉꖸ ꕘꕞ ꗪ. ꖏꖷ ꕉꖸꔧ ꖏ ꖸ ꕚꕌꘂ ꗷꔤ ꕞ ꘃꖷ ꘉꔧ ꗠꖻ ꕞ ꖴꘋ ꔳꕩ ꕉꖸ ꗳ.
+
+ꕢꕎꕌ ꗱꕞꕯꕊ (2) ꗞ ꗏꗒ ꔰ ꕚ ꖷ ꗋꖺꕒꕌ ꖸ ꔰ ꕞ ꕺꖃ ꘈꗢ ꗏ ꗷꔤ ꕞ ꘃꖷ ꗞ ꗏ ꗓꖺ ꔰ ꔇꔀ ꕉ ꕮ, ꕉꔤ ꔳ ꗞ ꔱꔤꕮ ꖏ ꖺ ꗞ ꗬꔤꕮ ꖺ ꗞ ꕺꖃ ꕮꔧ ꕮꔕ, ꕉꔤ ꔳ ꖷꖬ ꖏ ꖺ ꕪꔤ, ꕉꔤ ꕢ ꔽꔤ ꕮ ꖺ ꔵꘉ, ꖺ ꕐꕌꔳ, ꖺ ꖏ ꘀꗫ ꕃꔤ ꖺ ꗞꗢ ꗃꕎ ꕸꖃ ꖷ ꗏ ꖺ ꗞ ꖷ ꖸ ꗏ, ꕉꔤ ꔳ ꔻꔤ ꗞꖻ ꖏ ꖺ ꔌꘋ ꕴꕱ ꗞꖻ, ꕉꔤ ꕢ ꕴꖃ ꕃꔤ ꕮ ꔧ ꖏ ꕮꔕ ꗷꔤ ꔰ. ꕉꔤ ꕒꕢ ꕉ ꔫꔤ ꕞ, ꗞ ꕮ ꗞ ꖸ ꗏ ꗓꖺ ꕮꕨ ꔻꔤ ꖏ ꗱ, ꖺ ꕢꕎꕌ ꖏ ꖴꕮ ꖺ ꗷꔤ ꖷ ꖦꖕꕰꕊ ꗪ ꗞꗢ ꕞ ꕴꖃ ꕸꖃꔀ ꗱ ꗡꕯ, ꖺ ꕐꕌꔳ ꖷ ꗏ ꗞꗢ ꗃꕎ, ꕉꔤ ꔳ ꕸꖃ ꖴꘋ ꖏ, ꔧ ꗨꗡ ꕉꕌ ꕸꖃꔀ ꗪ ꕸꖃ ꕮꔕ ꗛꖺ, ꔧ ꗨꗡ ꕉꕌ ꕸꖃꔀ ꗪ ꖴꗷ ꕢꕮ ꕒꕩ ꗏ ꖺ ꗷꔤ ꕮꔕ ꔰ ꕞ.
diff --git a/test/index.test.ts b/test/index.test.ts
@@ -1,7 +1,7 @@
 import { isBinaryFile, isBinaryFileSync } from '../src/index';
 
 import * as fs from 'fs';
-import {promises as fsPromises} from 'fs';
+import { promises as fsPromises } from 'fs';
 import * as path from 'path';
 
 const FIXTURE_PATH = "./test/fixtures";
@@ -166,6 +166,16 @@ describe('async', () => {
     expect(result).toBe(true);
   });
 
+  it("should return false on a Vai script file", async () => {
+    const file = path.join(FIXTURE_PATH, "vai_script.txt");
+
+    expect.assertions(1);
+
+    const result = await isBinaryFile(file);
+
+    expect(result).toBe(false);
+  });
+
 });
 
 describe('sync', () => {
@@ -286,11 +296,19 @@ describe('sync', () => {
     const files = fs.readdirSync(encodingDir);
 
     files.forEach((file) => {
-      if (!/big5/.test(file) && !/gb/.test(file) && !/kr/.test(file)){
+      if (!/big5/.test(file) && !/gb/.test(file) && !/kr/.test(file)) {
         expect(isBinaryFileSync(path.join(encodingDir, file))).toBe(false);
       }
     });
   });
+
+  it("should return false on a Vai script file", () => {
+    const file = path.join(FIXTURE_PATH, "vai_script.txt");
+
+    const result = isBinaryFileSync(file);
+
+    expect(result).toBe(false);
+  });
 });
 
 it("should return false on a UTF-8 file with emoji", () => {

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ꕢꕎꕌ ꔖꔜꕯꕊ (1) ꕉꕜꕮ ꔔꘋ ꖸ ꔰ ꗋꘋ ꕮꕨ ꔔꘋ ꖸ ꕎ ꕉꖸꕊ ꕴꖃ ꕃꔤꘂ ꗱ, ꕉꖷ ꗪꗡ ꔻꔤ ꗏꗒꗡ ꕎ ꗪ ꕉꖸꕊ ꖏꕎ. ꕉꕡ ꖏ ꗳꕮꕊ ꗏ ꕪ ꗓ ꕉꖷ ꕉꖸ ꕘꕞ ꗪ. ꖏꖷ ꕉꖸꔧ ꖏ ꖸ ꕚꕌꘂ ꗷꔤ ꕞ ꘃꖷ ꘉꔧ ꗠꖻ ꕞ ꖴꘋ ꔳꕩ ꕉꖸ ꗳ.`
	`2`	`+`
	`3`	+ꕢꕎꕌ ꗱꕞꕯꕊ (2) ꗞ ꗏꗒ ꔰ ꕚ ꖷ ꗋꖺꕒꕌ ꖸ ꔰ ꕞ ꕺꖃ ꘈꗢ ꗏ ꗷꔤ ꕞ ꘃꖷ ꗞ ꗏ ꗓꖺ ꔰ ꔇꔀ ꕉ ꕮ, ꕉꔤ ꔳ ꗞ ꔱꔤꕮ ꖏ ꖺ ꗞ ꗬꔤꕮ ꖺ ꗞ ꕺꖃ ꕮꔧ ꕮꔕ, ꕉꔤ ꔳ ꖷꖬ ꖏ ꖺ ꕪꔤ, ꕉꔤ ꕢ ꔽꔤ ꕮ ꖺ ꔵꘉ, ꖺ ꕐꕌꔳ, ꖺ ꖏ ꘀꗫ ꕃꔤ ꖺ ꗞꗢ ꗃꕎ ꕸꖃ ꖷ ꗏ ꖺ ꗞ ꖷ ꖸ ꗏ, ꕉꔤ ꔳ ꔻꔤ ꗞꖻ ꖏ ꖺ ꔌꘋ ꕴꕱ ꗞꖻ, ꕉꔤ ꕢ ꕴꖃ ꕃꔤ ꕮ ꔧ ꖏ ꕮꔕ ꗷꔤ ꔰ. ꕉꔤ ꕒꕢ ꕉ ꔫꔤ ꕞ, ꗞ ꕮ ꗞ ꖸ ꗏ ꗓꖺ ꕮꕨ ꔻꔤ ꖏ ꗱ, ꖺ ꕢꕎꕌ ꖏ ꖴꕮ ꖺ ꗷꔤ ꖷ ꖦꖕꕰꕊ ꗪ ꗞꗢ ꕞ ꕴꖃ ꕸꖃꔀ ꗱ ꗡꕯ, ꖺ ꕐꕌꔳ ꖷ ꗏ ꗞꗢ ꗃꕎ, ꕉꔤ ꔳ ꕸꖃ ꖴꘋ ꖏ, ꔧ ꗨꗡ ꕉꕌ ꕸꖃꔀ ꗪ ꕸꖃ ꕮꔕ ꗛꖺ, ꔧ ꗨꗡ ꕉꕌ ꕸꖃꔀ ꗪ ꖴꗷ ꕢꕮ ꕒꕩ ꗏ ꖺ ꗷꔤ ꕮꔕ ꔰ ꕞ.