[protobuf] Re: getting crash from MessageLite::AppendPartialToString. Potential overflow problem all around the google protobuf code.

[hanyicai1988]

I got the same crash,how to avoid this kind of problem？I think this may be 
due to our special writing, but what are the specific possibilities?

在 2015年1月24日星期六 UTC+8上午7:19:05，Jana Baran写道：
>
> Potential overflow problem occurs all around the protobuf code.
> For example see message_lite.cc
>
> "
> bool MessageLite::AppendPartialToString(string* output) const {
>   int old_size = output->size();
>   int byte_size = ByteSize();
>   STLStringResizeUninitialized(output, old_size + byte_size);
>   uint8* start = reinterpret_cast<uint8*>(string_as_array(output) + 
> old_size);
>   uint8* end = SerializeWithCachedSizesToArray(start);
>   if (end - start != byte_size) {
>     ByteSizeConsistencyError(byte_size, ByteSize(), end - start);
>   }
>   return true;
> }
> "
>
> First two lines, size_t (unsigned 64b on a 64b architecture) is cast to 
> int (signed 32b). 
>
> Third line problem is 'old_size + byte_size' which can overflow. There 
> should be a check before the summation like:
>
> size_t new_size = 0;
> if (std::numeric_limits<size_t>::max() - old_size < byte_size) {
>  // we have a problem
> } else {
>  new_size = old_size + byte_size;
> }
>
> STLStringResizeUninitialized correctly takes size_t as an input but you 
> need to cast before the summation and not after, like "(size_t)old_size + 
> byte_size" 
>
> Next two lines: 'start' and 'end' is of type uint8 which is unsigned 8bit 
> integer. On next line this uint8 is compared with byte_size (1B variable 
> compared with 4B variable) and ByteSizeConsistencyError is called when we 
> are not happy with the comparison.
>
> Now funny part is the comment above MessageLite::ByteSizeConsistencyError 
> method which states:
>
> "...If serialization produces a different number of bytes than expected, 
> we call this function, which crashes. The problem could be due to a bug in 
> the protobuf implementation..." 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Protocol Buffers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to protobuf+unsubscr...@googlegroups.com.
To post to this group, send email to protobuf@googlegroups.com.
Visit this group at https://groups.google.com/group/protobuf.
For more options, visit https://groups.google.com/d/optout.