aboutsummaryrefslogtreecommitdiffstats
path: root/testing/msgpuck
diff options
context:
space:
mode:
Diffstat (limited to 'testing/msgpuck')
-rw-r--r--testing/msgpuck/APKBUILD43
-rw-r--r--testing/msgpuck/fix-possible-integer-overflow-in-mp_check.patch227
2 files changed, 270 insertions, 0 deletions
diff --git a/testing/msgpuck/APKBUILD b/testing/msgpuck/APKBUILD
new file mode 100644
index 0000000000..a12e163379
--- /dev/null
+++ b/testing/msgpuck/APKBUILD
@@ -0,0 +1,43 @@
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
+# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
+pkgname=msgpuck
+pkgver=2.0
+pkgrel=0
+pkgdesc="A simple and efficient MsgPack binary serialization library"
+url="https://github.com/rtsisyk/msgpuck"
+arch="all"
+license="BSD-2"
+makedepends="cmake doxygen"
+subpackages="$pkgname-dev $pkgname-doc"
+source="$pkgname-$pkgver.tar.gz::https://github.com/rtsisyk/$pkgname/archive/$pkgver.tar.gz
+ fix-possible-integer-overflow-in-mp_check.patch"
+builddir="$srcdir/$pkgname-$pkgver"
+
+build() {
+ cd "$builddir"
+
+ cmake \
+ -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+ -DCMAKE_C_FLAGS="$CFLAGS" \
+ -DCMAKE_INSTALL_PREFIX=/usr \
+ -DCMAKE_INSTALL_LIBDIR=lib \
+ -DCMAKE_VERBOSE_MAKEFILE=ON
+ make all man
+}
+
+check() {
+ cd "$builddir"
+ make test
+}
+
+package() {
+ cd "$builddir"
+
+ make install DESTDIR="$pkgdir"
+
+ mkdir -p "$pkgdir"/usr/share/man
+ cp -a doc/man/* "$pkgdir"/usr/share/man/
+}
+
+sha512sums="54c5d1dab6a61039147864e525829a829f039f420b7804052045bffb672127953260b59243a7e78b5fc008c1e418622e7b17e32d431bf382a101dbd8725784a2 msgpuck-2.0.tar.gz
+c2c92df850a6f2f593f3737b7847a3c165656bd56868bb3b6db7bd6561de029259d27fe71504835e3eaa9cd76965ff6afc32a898a55318d0ae035440cca66285 fix-possible-integer-overflow-in-mp_check.patch"
diff --git a/testing/msgpuck/fix-possible-integer-overflow-in-mp_check.patch b/testing/msgpuck/fix-possible-integer-overflow-in-mp_check.patch
new file mode 100644
index 0000000000..4565c71c5b
--- /dev/null
+++ b/testing/msgpuck/fix-possible-integer-overflow-in-mp_check.patch
@@ -0,0 +1,227 @@
+From 40e24ccf3ec191e6f576da967a64630ca2160bfc Mon Sep 17 00:00:00 2001
+From: Roman Tsisyk <roman@tsisyk.com>
+Date: Fri, 23 Jun 2017 11:34:07 +0300
+Subject: [PATCH] Fix possible integer overflow in mp_check()
+
+Malformed MessagePack can cause `int k` counter overflow
+inside mp_check()/mp_next().
+
+Closes #16
+
+Patch-Source: https://github.com/rtsisyk/msgpuck/commit/40e24ccf3ec191e6f576da967a64630ca2160bfc
+---
+ msgpuck.h | 59 +++++++++++++++++++++++++++++-----------------------------
+ test/msgpuck.c | 42 ++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 70 insertions(+), 31 deletions(-)
+
+diff --git a/msgpuck.h b/msgpuck.h
+index e585a0f3..4ef9f148 100644
+--- a/msgpuck.h
++++ b/msgpuck.h
+@@ -1980,10 +1980,10 @@ enum {
+ };
+
+ MP_PROTO void
+-mp_next_slowpath(const char **data, int k);
++mp_next_slowpath(const char **data, int64_t k);
+
+ MP_IMPL void
+-mp_next_slowpath(const char **data, int k)
++mp_next_slowpath(const char **data, int64_t k)
+ {
+ for (; k > 0; k--) {
+ uint8_t c = mp_load_u8(data);
+@@ -2056,7 +2056,7 @@ mp_next_slowpath(const char **data, int k)
+ MP_IMPL void
+ mp_next(const char **data)
+ {
+- int k = 1;
++ int64_t k = 1;
+ for (; k > 0; k--) {
+ uint8_t c = mp_load_u8(data);
+ int l = mp_parser_hint[c];
+@@ -2081,14 +2081,17 @@ mp_next(const char **data)
+ MP_IMPL int
+ mp_check(const char **data, const char *end)
+ {
+- int k;
+- for (k = 1; k > 0; k--) {
+- if (mp_unlikely(*data >= end))
+- return 1;
++#define MP_CHECK_LEN(_l) \
++ if (mp_unlikely((size_t)(end - *data) < (size_t)(_l))) \
++ return 1;
+
++ int64_t k;
++ for (k = 1; k > 0; k--) {
++ MP_CHECK_LEN(1);
+ uint8_t c = mp_load_u8(data);
+ int l = mp_parser_hint[c];
+ if (mp_likely(l >= 0)) {
++ MP_CHECK_LEN(l);
+ *data += l;
+ continue;
+ } else if (mp_likely(l > MP_HINT)) {
+@@ -2100,71 +2103,68 @@ mp_check(const char **data, const char *end)
+ switch (l) {
+ case MP_HINT_STR_8:
+ /* MP_STR (8) */
+- if (mp_unlikely(*data + sizeof(uint8_t) > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint8_t));
+ len = mp_load_u8(data);
++ MP_CHECK_LEN(len);
+ *data += len;
+ break;
+ case MP_HINT_STR_16:
+ /* MP_STR (16) */
+- if (mp_unlikely(*data + sizeof(uint16_t) > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint16_t));
+ len = mp_load_u16(data);
++ MP_CHECK_LEN(len);
+ *data += len;
+ break;
+ case MP_HINT_STR_32:
+ /* MP_STR (32) */
+- if (mp_unlikely(*data + sizeof(uint32_t) > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint32_t))
+ len = mp_load_u32(data);
++ MP_CHECK_LEN(len);
+ *data += len;
+ break;
+ case MP_HINT_ARRAY_16:
+ /* MP_ARRAY (16) */
+- if (mp_unlikely(*data + sizeof(uint16_t) > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint16_t));
+ k += mp_load_u16(data);
+ break;
+ case MP_HINT_ARRAY_32:
+ /* MP_ARRAY (32) */
+- if (mp_unlikely(*data + sizeof(uint32_t) > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint32_t));
+ k += mp_load_u32(data);
+ break;
+ case MP_HINT_MAP_16:
+ /* MP_MAP (16) */
+- if (mp_unlikely(*data + sizeof(uint16_t) > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint16_t));
+ k += 2 * mp_load_u16(data);
+ break;
+ case MP_HINT_MAP_32:
+ /* MP_MAP (32) */
+- if (mp_unlikely(*data + sizeof(uint32_t) > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint32_t));
+ k += 2 * mp_load_u32(data);
+ break;
+ case MP_HINT_EXT_8:
+ /* MP_EXT (8) */
+- if (mp_unlikely(*data + sizeof(uint8_t) + 1 > end))
+- return 1;
++ MP_CHECK_LEN(sizeof(uint8_t) + sizeof(uint8_t));
+ len = mp_load_u8(data);
+ mp_load_u8(data);
++ MP_CHECK_LEN(len);
+ *data += len;
+ break;
+ case MP_HINT_EXT_16:
+ /* MP_EXT (16) */
+- if (mp_unlikely(*data + sizeof(uint16_t) + 1 > end))
++ MP_CHECK_LEN(sizeof(uint16_t) + sizeof(uint8_t));
+ return 1;
+ len = mp_load_u16(data);
+ mp_load_u8(data);
++ MP_CHECK_LEN(len);
+ *data += len;
+ break;
+ case MP_HINT_EXT_32:
+ /* MP_EXT (32) */
+- if (mp_unlikely(*data + sizeof(uint32_t) + 1 > end))
+- return 1;
+- len = mp_load_u32(data);
++ MP_CHECK_LEN(sizeof(uint32_t) + sizeof(uint8_t));
++ len = mp_load_u32(data);
+ mp_load_u8(data);
++ MP_CHECK_LEN(len);
+ *data += len;
+ break;
+ default:
+@@ -2172,9 +2172,8 @@ mp_check(const char **data, const char *end)
+ }
+ }
+
+- if (mp_unlikely(*data > end))
+- return 1;
+-
++ assert(*data <= end);
++#undef MP_CHECK_LEN
+ return 0;
+ }
+
+diff --git a/test/msgpuck.c b/test/msgpuck.c
+index 751b9e11..9265453e 100644
+--- a/test/msgpuck.c
++++ b/test/msgpuck.c
+@@ -1055,9 +1055,48 @@ test_numbers()
+ return check_plan();
+ }
+
++static int
++test_overflow()
++{
++ plan(4);
++ header();
++
++ const char *chk;
++ char *d;
++ d = data;
++ chk = data;
++ d = mp_encode_array(d, 1);
++ d = mp_encode_array(d, UINT32_MAX);
++ is(mp_check(&chk, d), 1, "mp_check array overflow")
++
++ d = data;
++ chk = data;
++ d = mp_encode_array(d, 1);
++ d = mp_encode_map(d, UINT32_MAX);
++ is(mp_check(&chk, d), 1, "mp_check map overflow")
++
++ d = data;
++ chk = data;
++ d = mp_encode_array(d, 2);
++ d = mp_encode_str(d, "", 0);
++ d = mp_encode_strl(d, UINT32_MAX);
++ is(mp_check(&chk, d), 1, "mp_check str overflow")
++
++ d = data;
++ chk = data;
++ d = mp_encode_array(d, 2);
++ d = mp_encode_bin(d, "", 0);
++ d = mp_encode_binl(d, UINT32_MAX);
++ is(mp_check(&chk, d), 1, "mp_check bin overflow")
++
++ footer();
++ return check_plan();
++}
++
++
+ int main()
+ {
+- plan(19);
++ plan(20);
+ test_uints();
+ test_ints();
+ test_bools();
+@@ -1077,6 +1116,7 @@ int main()
+ test_mp_print();
+ test_mp_check();
+ test_numbers();
++ test_overflow();
+
+ return check_plan();
+ }