BigfootDev/flatbuffers
1
0
Fork 1
mirror of https://github.com/google/flatbuffers.git synced 2026-06-02 04:04:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix an out-of bounds read when the element is bigger than the buffer.

Browse Source 
Ensure the size of the buffer being checked is bigger than the element
of the buffer being checked. The buffer can be triggered when, for
example, the buffer is of length zero and we are checking for:

    Verify<uoffset_t>(buf_)

The condition above should fail.
This commit is contained in:
Tiago Cogumbreiro
2015-09-18 20:38:47 -05:00
parent 5de28c74f9
commit 477fedccd4
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/flatbuffers/flatbuffers.h
View File

@@ -898,7 +898,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS {
// Verify any range within the buffer.
bool Verify(const void *elem, size_t elem_len) const {
return Check(elem >= buf_ && elem <= end_ - elem_len);
return Check(elem_len <= (size_t) (end_ - buf_) && elem >= buf_ && elem <= end_ - elem_len);
}
// Verify a range indicated by sizeof(T).