Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(smile) Handle invalid chunked-binary-format length gracefully #263

Closed
cowtowncoder opened this issue Mar 22, 2021 · 1 comment
Closed

(smile) Handle invalid chunked-binary-format length gracefully #263

cowtowncoder opened this issue Mar 22, 2021 · 1 comment
Labels
fuzz Issue found by OssFuzz smile
Milestone
2.12.3

Comments

@cowtowncoder
Copy link
Member

(found by OssFuzzer https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32339)

Another nice finding by ozz-fuzz project: looks like length handling for chunked (7-bit safe) binary blocks is missing some checks to either prevent use of negative lengths, or avoid int overflow.
@cowtowncoder
Copy link
Member Author

Specifically, it's "all of above": method _readUnsignedVInt() needs to validate that the input value does not overflow positive 32-bit int.

@cowtowncoder cowtowncoder added this to the 2.12.3 milestone Mar 23, 2021
@cowtowncoder cowtowncoder added the fuzz Issue found by OssFuzz label Apr 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzz Issue found by OssFuzz smile
Projects
None yet
Milestone
2.12.3
Development

No branches or pull requests
1 participant
@cowtowncoder