Fix integer overflow bugs.

2015-03-08 20:39:44 -04:00 · 2015-03-08 20:39:44 -04:00 · 0e8fe55593
commit 0e8fe55593
parent 2b1d5c201e
3 changed files with 31 additions and 2 deletions
--- a/compiler/src/test/scala/org/capnproto/EncodingTest.scala
+++ b/compiler/src/test/scala/org/capnproto/EncodingTest.scala
@ -386,6 +386,29 @@ class EncodingSuite extends FunSuite {
    a [DecodeException] should be thrownBy root.getAnyPointerField.getAs(org.capnproto.Text.factory);
  }

+  test("InlineCompositeListIntOverflow") {
+    val bytes = Array[Byte](0,0,0,0, 0,0,1,0,
+                            1,0,0,0, 0x17,0,0,0, 0,0,0,-128, 16,0,0,0,
+                            0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0);
+
+    val segment = java.nio.ByteBuffer.wrap(bytes);
+    segment.order(java.nio.ByteOrder.LITTLE_ENDIAN);
+    val message = new MessageReader(Array(segment), ReaderOptions.DEFAULT_READER_OPTIONS);
+
+    val root = message.getRoot(TestAnyPointer.factory);
+    // TODO add this after we impelement totalSize():
+    //root.totalSize();
+
+    a [DecodeException] should be thrownBy
+      root.getAnyPointerField.getAs(new StructList.Factory(TestAllTypes.factory));
+
+    val messageBuilder = new MessageBuilder();
+    val builderRoot = messageBuilder.initRoot(TestAnyPointer.factory);
+    a [DecodeException] should be thrownBy
+      builderRoot.getAnyPointerField.setAs(TestAnyPointer.factory, root);
+
+  }
+
  test("VoidListAmplification") {
    val builder = new MessageBuilder();
    builder.initRoot(TestAnyPointer.factory).getAnyPointerField().initAs(PrimitiveList.Void.factory, 1 << 28);
--- a/runtime/src/main/java/org/capnproto/AnyPointer.java
+++ b/runtime/src/main/java/org/capnproto/AnyPointer.java
@ -82,6 +82,10 @@ public final class AnyPointer {
            return factory.initFromPointerBuilder(this.segment, this.pointer, elementCount);
        }

+        public final <T, U> void setAs(SetPointerBuilder<T, U> factory, U reader) {
+            factory.setPointerBuilder(this.segment, this.pointer, reader);
+        }
+
        public final Reader asReader() {
            return new Reader(segment, pointer, 0x7fffffff);
        }
--- a/runtime/src/main/java/org/capnproto/WireHelpers.java
+++ b/runtime/src/main/java/org/capnproto/WireHelpers.java
@ -1072,7 +1072,7 @@ final class WireHelpers {

                int elementCount = WirePointer.inlineCompositeListElementCount(tag);
                int wordsPerElement = StructPointer.wordSize(tag);
-                if (wordsPerElement * elementCount > wordCount) {
+                if ((long)wordsPerElement * elementCount > wordCount) {
                    throw new DecodeException("INLINE_COMPOSITE list's elements overrun its word count.");
                }

@ -1165,7 +1165,9 @@ final class WireHelpers {

            int wordsPerElement = StructPointer.wordSize(tag);

-            // TODO check that elemements do not overrun word count
+            if ((long)size * wordsPerElement > wordCount) {
+                throw new DecodeException("INLINE_COMPOSITE list's elements overrun its word count.");
+            }

            if (wordsPerElement == 0) {
                // Watch out for lists of zero-sized structs, which can claim to be arbitrarily