ubj icon indicating copy to clipboard operation
ubj copied to clipboard
verified publisher icon Steve132

Crash when string length is negative

Open to-miz opened this issue 3 years ago • 0 comments

When using negative lengths for strings there is a crash. There seems to be no validation on the string length or the result of malloc, so negative or huge values can result in a crash.

Minimal example program:

#include "stdio.h"
#include "ubj.h"
#include "ubjr.c"

int main()
{
    char test[258] = {'S', 'i', -1, 't'};
    for (int i = 3; i < 258; ++i)
    {
        test[i] = 't';
    }
    ubjr_context_t *ctx = ubjr_open_memory((const uint8_t *)test, (const uint8_t *)(test + sizeof(test)));
    ubjr_dynamic_t value = ubjr_read_dynamic(ctx);
    if (value.type == UBJ_STRING)
    {
        printf("%s\n", value.string);
    }
    else
    {
        printf("ERROR\n");
    }
    ubjr_cleanup_dynamic(&value);
    ubjr_close_context(ctx);
    return 0;
}

to-miz avatar Jul 20 '22 09:07 to-miz