Rooba
/
flatbuffers
mirror of https://github.com/google/flatbuffers.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix an out-of bounds read when the element is bigger than the buffer. 

Ensure the size of the buffer being checked is bigger than the element
of the buffer being checked. The buffer can be triggered when, for
example, the buffer is of length zero and we are checking for:

    Verify<uoffset_t>(buf_)

The condition above should fail.
This commit is contained in:
Tiago Cogumbreiro 2015-09-18 20:38:47 -05:00
parent 5de28c74f9
commit 477fedccd4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/flatbuffers/flatbuffers.h
View File

@ -898,7 +898,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS {
// Verify any range within the buffer.
bool Verify(const void *elem, size_t elem_len) const {
return Check(elem >= buf_ && elem <= end_ - elem_len);
return Check(elem_len <= (size_t) (end_ - buf_) && elem >= buf_ && elem <= end_ - elem_len);
}
// Verify a range indicated by sizeof(T).