cbor_value_map_find_value may crash with invalid input
thiagomacieira opened this issue · 3 comments
thiagomacieira commented
#define VERIFY_CBOR(x) do { if (!(x)) return 0; } while(0)
uint8_t buffer [128] = {0xbf,0x64,0x0a,0xe0,0xb5,0xbf,0x04,0x00,0xff,0x1e,0xff,0xff,0x80,0xbf,0xa4,0xbf,0xff,0x14,0x00,0x14,0x00,0xbf,0xbf,0xbf,0xe4,0xbf,0xbf,0x43,0xbf,0xbf,0xa0,0x13,0xaa,0xaa,0xaa,0xaa,0x70,0xaa,0xaa,0xaa,0xaa,0xaa,0xea,0xaa,0xae,0x05,0x11,0x62,0x78,0x7c,0x05,0x03,0x18,0x00,0x10,0x40,0x20,0x80,0x61,0x00,0xd8,0x00,0x00,0x00,0xde,0x00,0x00,0xcf,0x35,0x10,0x1e,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0xaa,0xff,0xaa,0xaa,0x00,0x01,0x07,0x00,0xaa,0xaa,0xac,0x05,0x03,0x1a,0x82,0xa4,0x40,0x0d,0x80,0x35,0x78,0xac,0x05,0x00,0x00,0x00,0x7f,0xff,0xff,0xff,0xa8,0xf2,0x61,0x00,0xd8,0x00,0x00,0x00,0xcf,0x62,0x78,0x78,0xac,0x05,0x00,0xbd,0x11,0xb6,0x03,0x66};
size_t len;
CborParser parser;
CborValue it;
CborValue result;
VERIFY_CBOR(cbor_parser_init(buffer, sizeof(buffer), 0, &parser, &it) == CborNoError);
VERIFY_CBOR(cbor_value_is_map(&it));
VERIFY_CBOR(cbor_value_map_find_value(&it, "c", &result) == CborNoError);
The last VERIFY_CBOR
is expected to fail, but not crash.
@TSonono
TSonono commented
Ran it now. Results in the following:
Assertion failed: (it->type != CborInvalidType), function cbor_value_advance, file
/Users/tsonono/repos/cbor-c-test/app/external/tinycbor/src/cborparser.c, line 526.
thiagomacieira commented
Added a test, cannot reproduce in 0.6 (dev branch).
thiagomacieira commented
Seems it got fixed by 2b2d663.