Fix length checks for name and data in htsmsg_binary#2076
Fix length checks for name and data in htsmsg_binary#2076
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the robustness of th
8000
e Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
There was a problem hiding this comment.
Code Review
This pull request fixes several potential security vulnerabilities in htsmsg_binary_des0, including integer overflows and a heap buffer overflow. The checks for namelen and datalen against the buffer length are improved to prevent overflow. An overflow check is added for string field length calculation. The total length calculation for UUID fields is corrected, fixing a critical buffer overflow vulnerability. My review includes one suggestion to further improve robustness by adding a missing overflow check for consistency.
| } else if (type == HMF_UUID) { | ||
| tlen = UUID_BIN_SIZE; | ||
| if (tlen != datalen) | ||
| tlen += UUID_BIN_SIZE; |
There was a problem hiding this comment.
For consistency with the integer overflow check added for HMF_STR, it would be good practice to also add a check here to prevent tlen from overflowing before adding UUID_BIN_SIZE. While an overflow is unlikely given UUID_BIN_SIZE is a small constant, adding the check improves robustness and consistency.
You could add a check like this before the addition:
if (tlen > SIZE_MAX - UUID_BIN_SIZE) {
return -1;
}There was a problem hiding this comment.
Pull request overview
Adjusts htsmsg_binary deserialization length and allocation calculations to prevent incorrect bounds checks and ensure proper sizing for specific field types (notably UUID and strings).
Changes:
- Reworks name/data remaining-length validation to avoid overflow-prone
namelen + datalenchecks. - Adds an allocation overflow guard for string fields before computing
tlen += datalen + 1. - Fixes UUID allocation sizing by adding
UUID_BIN_SIZEto the existing field allocation size (instead of overwriting it).
| if (type == HMF_STR) { | ||
| if (datalen > SIZE_MAX - tlen - 1) | ||
| return -1; |
There was a problem hiding this comment.
Line 60 introduces a tab/misaligned indentation inside the if (type == HMF_STR) block, which breaks the surrounding indentation style and can cause noisy diffs in future edits. Please re-indent this block consistently (spaces only, aligned with the other statements in the function).
No description provided.