diff options
| author | Barinzaya <barinzaya@gmail.com> | 2025-04-29 08:19:43 -0400 |
|---|---|---|
| committer | Barinzaya <barinzaya@gmail.com> | 2025-04-29 08:19:43 -0400 |
| commit | 3f5e09a0df18201e30a202a2074dc0c0a283c01b (patch) | |
| tree | be9789a8c2ade6d4560500e5436be2486499b3cb /core/encoding/cbor | |
| parent | 4f00224dd2908dc21c5412eba9167c63a217bf33 (diff) | |
Fixed an overflow when decoding a large CBOR slice.
The initial allocation for the slice is limited to prevent untrusted
data from forcing a huge allocation, but then the dynamic array was
created with a capacity of the unlimited length, rather than the actual
capacity of the allocation. This was causing a buffer overrun.
Diffstat (limited to 'core/encoding/cbor')
| -rw-r--r-- | core/encoding/cbor/unmarshal.odin | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/core/encoding/cbor/unmarshal.odin b/core/encoding/cbor/unmarshal.odin index f752c5275..24bbd8137 100644 --- a/core/encoding/cbor/unmarshal.odin +++ b/core/encoding/cbor/unmarshal.odin @@ -493,7 +493,7 @@ _unmarshal_array :: proc(d: Decoder, v: any, ti: ^reflect.Type_Info, hdr: Header data := mem.alloc_bytes_non_zeroed(t.elem.size * scap, t.elem.align, allocator=allocator, loc=loc) or_return defer if err != nil { mem.free_bytes(data, allocator=allocator, loc=loc) } - da := mem.Raw_Dynamic_Array{raw_data(data), 0, length, context.allocator } + da := mem.Raw_Dynamic_Array{raw_data(data), 0, scap, context.allocator } assign_array(d, &da, t.elem, length) or_return |