3Hren/msgpack-rust

rmpv read_value has no depth limit

Shadow53 opened this issue · 2 comments

Shadow53 commented

I am using rmpv::decode::read_value to do some parsing and am running into stack overflows from this crate when fuzz testing my code:

# ...snip...
    #186 0x103c9be86 in rmpv::decode::value::read_value::h598f53b10a56f428+0x1596 (packet:x86_64+0x100086e86)
    #187 0x103ca380b in rmpv::decode::value::read_array_data::h9144944be4d4fde4+0x20b (packet:x86_64+0x10008e80b)
    #188 0x103c9be86 in rmpv::decode::value::read_value::h598f53b10a56f428+0x1596 (packet:x86_64+0x100086e86)
    #189 0x103ca380b in rmpv::decode::value::read_array_data::h9144944be4d4fde4+0x20b (packet:x86_64+0x10008e80b)
    #190 0x103c9be86 in rmpv::decode::value::read_value::h598f53b10a56f428+0x1596 (packet:x86_64+0x100086e86)
    #191 0x103ca380b in rmpv::decode::value::read_array_data::h9144944be4d4fde4+0x20b (packet:x86_64+0x10008e80b)
    #192 0x103c9be86 in rmpv::decode::value::read_value::h598f53b10a56f428+0x1596 (packet:x86_64+0x100086e86)
    #193 0x103ca380b in rmpv::decode::value::read_array_data::h9144944be4d4fde4+0x20b (packet:x86_64+0x10008e80b)
# ...snip...
kornelski commented

Paging @aviramha

  • 👍1
Shadow53 commented

I've got a PR that I'm checking locally before submitting. Should fix the issue.

  • 👍1