You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CBORParser::nextToken() method relies on the integer index _inputPtr to read the next character from the provided input byte array. In some cases, if the provided input byte array is malformed and contains negative bytes, that negative could be used as the new value for the _inputPtr. If the negative _inputPtr is used as an index for later access to the byte array, an unexpected IndexOutOfBoundsException is thrown because a negative index is used.
The suggested fix is to add a negative checking before the use of _inputPtr. It is shown that there is already a check in the method to ensure _inputPtr is not larger than or equal to the _inputEnd, but there is no check to confirm that _inputPtr is not negative. The suggested fix is to add a negative check to ensure the retrieved _inputPtr is not negative before use.
cowtowncoder
changed the title
Possible IndexOutOfBoundsException in CBORParser for invalid inputIndexOutOfBoundsException in CBORParser for invalid input
Jan 9, 2024
The
CBORParser::nextToken()
method relies on the integer index_inputPtr
to read the next character from the provided input byte array. In some cases, if the provided input byte array is malformed and contains negative bytes, that negative could be used as the new value for the_inputPtr
. If the negative_inputPtr
is used as an index for later access to the byte array, an unexpectedIndexOutOfBoundsException
is thrown because a negative index is used.The suggested fix is to add a negative checking before the use of
_inputPtr
. It is shown that there is already a check in the method to ensure_inputPtr
is not larger than or equal to the_inputEnd
, but there is no check to confirm that_inputPtr
is not negative. The suggested fix is to add a negative check to ensure the retrieved_inputPtr
is not negative before use.We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65617.
The text was updated successfully, but these errors were encountered: