Prevent out-of-bounds read when deserializing

We first serialize the total number of tags, then serialize each individual
tag. If we don't have enough space to serialize a particular tag we stop
serializing any remaining tags.

However, this causes an out-of-bounds read when deserializing because there are
less tags than expected. Just bail when there are too many tags to serialize.
This commit is contained in:
Phil Turnbull 2018-08-07 12:44:20 -04:00
parent e541c9b64b
commit 5877d9a30d
No known key found for this signature in database
GPG Key ID: D81B30C00789D262
1 changed files with 3 additions and 3 deletions

View File

@ -34,14 +34,14 @@ struct Scanner {
Tag &tag = tags[j]; Tag &tag = tags[j];
if (tag.type == CUSTOM) { if (tag.type == CUSTOM) {
unsigned name_length = tag.custom_tag_name.size(); unsigned name_length = tag.custom_tag_name.size();
if (name_length > UINT8_MAX) break; if (name_length > UINT8_MAX) return 0;
if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break; if (i + 2 + name_length >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0;
buffer[i++] = static_cast<char>(tag.type); buffer[i++] = static_cast<char>(tag.type);
buffer[i++] = name_length; buffer[i++] = name_length;
tag.custom_tag_name.copy(&buffer[i], name_length); tag.custom_tag_name.copy(&buffer[i], name_length);
i += name_length; i += name_length;
} else { } else {
if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) break; if (i + 1 >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) return 0;
buffer[i++] = static_cast<char>(tag.type); buffer[i++] = static_cast<char>(tag.type);
} }
} }