Potential overflow problem occurs all around the protobuf code.
For example see message_lite.cc
"
bool MessageLite::AppendPartialToString(string* output) const {
int old_size = output->size();
int byte_size = ByteSize();
STLStringResizeUninitialized(output, old_size + byte_size);
uint8* start = reinterpret_cast<uint8*>(string_as_array(output) +
old_size);
uint8* end = SerializeWithCachedSizesToArray(start);
if (end - start != byte_size) {
ByteSizeConsistencyError(byte_size, ByteSize(), end - start);
}
return true;
}
"
First two lines, size_t (unsigned 64b on a 64b architecture) is cast to
int (signed 32b).
Third line problem is 'old_size + byte_size' which can overflow. There
should be a check before the summation like:
size_t new_size = 0;
if (std::numeric_limits<size_t>::max() - old_size < byte_size) {
// we have a problem
} else {
new_size = old_size + byte_size;
}
STLStringResizeUninitialized correctly takes size_t as an input but you
need to cast before the summation and not after, like "(size_t)old_size +
byte_size"
Next two lines: 'start' and 'end' is of type uint8 which is unsigned 8bit
integer. On next line this uint8 is compared with byte_size (1B variable
compared with 4B variable) and ByteSizeConsistencyError is called when we
are not happy with the comparison.
Now funny part is the comment above MessageLite::ByteSizeConsistencyError
method which states:
"...If serialization produces a different number of bytes than expected, we
call this function, which crashes. The problem could be due to a bug in the
protobuf implementation..."
--
You received this message because you are subscribed to the Google Groups
"Protocol Buffers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/protobuf.
For more options, visit https://groups.google.com/d/optout.
