From 5877d9a30de13ddafac596ba94373ed40efec60d Mon Sep 17 00:00:00 2001 From: Phil Turnbull Date: Tue, 7 Aug 2018 12:44:20 -0400 Subject: [PATCH] Prevent out-of-bounds read when deserializing We first serialize the total number of tags, then serialize each individual tag. If we don't have enough space to serialize a particular tag we stop serializing any remaining tags. However, this causes an out-of-bounds read when deserializing because there are less tags than expected. Just bail when there are too many tags to serialize. --- src/scanner.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/scanner.cc b/src/scanner.cc index 69e595b..dc1be41 100644 --- a/src/scanner.cc +++ b/src/scanner.cc @@ -34,14 +34,14 @@ struct Scanner { Tag &tag = tags[j]; if (tag.type == CUSTOM) { unsigned name_length = tag.custom_tag_name.size(); - if (name_length > UINT8_MAX) break; - if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break; + if (name_length > UINT8_MAX) return 0; + if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0; buffer[i++] = static_cast(tag.type); buffer[i++] = name_length; tag.custom_tag_name.copy(&buffer[i], name_length); i += name_length; } else { - if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break; + if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0; buffer[i++] = static_cast(tag.type); } }