intel/tinycbor

cbor_value_map_find_value may crash with invalid input

thiagomacieira opened this issue · 3 comments

#define VERIFY_CBOR(x) do { if (!(x)) return 0; } while(0)

uint8_t buffer [128] = {0xbf,0x64,0x0a,0xe0,0xb5,0xbf,0x04,0x00,0xff,0x1e,0xff,0xff,0x80,0xbf,0xa4,0xbf,0xff,0x14,0x00,0x14,0x00,0xbf,0xbf,0xbf,0xe4,0xbf,0xbf,0x43,0xbf,0xbf,0xa0,0x13,0xaa,0xaa,0xaa,0xaa,0x70,0xaa,0xaa,0xaa,0xaa,0xaa,0xea,0xaa,0xae,0x05,0x11,0x62,0x78,0x7c,0x05,0x03,0x18,0x00,0x10,0x40,0x20,0x80,0x61,0x00,0xd8,0x00,0x00,0x00,0xde,0x00,0x00,0xcf,0x35,0x10,0x1e,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0xaa,0xff,0xaa,0xaa,0x00,0x01,0x07,0x00,0xaa,0xaa,0xac,0x05,0x03,0x1a,0x82,0xa4,0x40,0x0d,0x80,0x35,0x78,0xac,0x05,0x00,0x00,0x00,0x7f,0xff,0xff,0xff,0xa8,0xf2,0x61,0x00,0xd8,0x00,0x00,0x00,0xcf,0x62,0x78,0x78,0xac,0x05,0x00,0xbd,0x11,0xb6,0x03,0x66};

size_t len;
CborParser parser;
CborValue  it;
CborValue result;

VERIFY_CBOR(cbor_parser_init(buffer, sizeof(buffer), 0, &parser, &it) == CborNoError);
VERIFY_CBOR(cbor_value_is_map(&it));

VERIFY_CBOR(cbor_value_map_find_value(&it, "c", &result) == CborNoError);

The last VERIFY_CBOR is expected to fail, but not crash.
@TSonono

Ran it now. Results in the following:

Assertion failed: (it->type != CborInvalidType), function cbor_value_advance, file
/Users/tsonono/repos/cbor-c-test/app/external/tinycbor/src/cborparser.c, line 526.

Added a test, cannot reproduce in 0.6 (dev branch).

Seems it got fixed by 2b2d663.