Prevent out-of-bounds read when deserializing
We first serialize the total number of tags, then serialize each individual tag. If we don't have enough space to serialize a particular tag we stop serializing any remaining tags. However, this causes an out-of-bounds read when deserializing because there are less tags than expected. Just bail when there are too many tags to serialize.
This commit is contained in:
parent
e541c9b64b
commit
5877d9a30d
|
@ -34,14 +34,14 @@ struct Scanner {
|
||||||
Tag &tag = tags[j];
|
Tag &tag = tags[j];
|
||||||
if (tag.type == CUSTOM) {
|
if (tag.type == CUSTOM) {
|
||||||
unsigned name_length = tag.custom_tag_name.size();
|
unsigned name_length = tag.custom_tag_name.size();
|
||||||
if (name_length > UINT8_MAX) break;
|
if (name_length > UINT8_MAX) return 0;
|
||||||
if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break;
|
if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0;
|
||||||
buffer[i++] = static_cast<char>(tag.type);
|
buffer[i++] = static_cast<char>(tag.type);
|
||||||
buffer[i++] = name_length;
|
buffer[i++] = name_length;
|
||||||
tag.custom_tag_name.copy(&buffer[i], name_length);
|
tag.custom_tag_name.copy(&buffer[i], name_length);
|
||||||
i += name_length;
|
i += name_length;
|
||||||
} else {
|
} else {
|
||||||
if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break;
|
if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0;
|
||||||
buffer[i++] = static_cast<char>(tag.type);
|
buffer[i++] = static_cast<char>(tag.type);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue