matthew/The-Powder-Toy
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix invalid read in BSON.cpp when loading some kinds of invalid saves

Browse Source
This commit is contained in:
jacob1 2016-08-12 17:34:59 -04:00
parent 6dc1c222bc
commit 89e7238f3b
3 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/bson/BSON.cpp
View File

@ -68,6 +68,13 @@ int bson_copy( bson *out, const bson *in ) {
int bson_init_data( bson *b, char *data ) { int bson_init_data( bson *b, char *data ) {
b->data = data; b->data = data;
b->dataSize = INT_MAX; // no overflow detection for bson_iterator_next
return BSON_OK;
}
int bson_init_data_size( bson *b, char *data, int size ) {
b->data = data;
b->dataSize = size; // used for overflow detection for bson_iterator_next
return BSON_OK; return BSON_OK;
} }
@ -292,11 +299,13 @@ void bson_print_raw( const char *data , int depth ) {
void bson_iterator_init( bson_iterator *i, const bson *b ) { void bson_iterator_init( bson_iterator *i, const bson *b ) {
i->cur = b->data + 4; i->cur = b->data + 4;
i->first = 1; i->first = 1;
i->last = b->data + b->dataSize;
} }
void bson_iterator_from_buffer( bson_iterator *i, const char *buffer ) { void bson_iterator_from_buffer( bson_iterator *i, const char *buffer ) {
i->cur = buffer + 4; i->cur = buffer + 4;
i->first = 1; i->first = 1;
i->last = NULL;
} }
bson_type bson_find( bson_iterator *it, const bson *obj, const char *name ) { bson_type bson_find( bson_iterator *it, const bson *obj, const char *name ) {
@ -309,6 +318,8 @@ bson_type bson_find( bson_iterator *it, const bson *obj, const char *name ) {
} }
bson_bool_t bson_iterator_more( const bson_iterator *i ) { bson_bool_t bson_iterator_more( const bson_iterator *i ) {
if (i->last && i->cur >= i->last)
return BSON_EOO;
return *( i->cur ); return *( i->cur );
} }
@ -377,6 +388,8 @@ bson_type bson_iterator_next( bson_iterator *i ) {
i->cur += 1 + strlen( i->cur + 1 ) + 1 + ds; i->cur += 1 + strlen( i->cur + 1 ) + 1 + ds;
if (i->last && i->cur >= i->last)
return BSON_EOO;
return ( bson_type )( *i->cur ); return ( bson_type )( *i->cur );
} }

14
src/bson/BSON.h
View File

@ -200,6 +200,7 @@ typedef int bson_bool_t;
typedef struct { typedef struct {
const char *cur; const char *cur;
bson_bool_t first; bson_bool_t first;
const char *last;
} bson_iterator; } bson_iterator;
typedef struct { typedef struct {
@ -644,6 +645,19 @@ void bson_init( bson *b );
*/ */
int bson_init_data( bson *b , char *data ); int bson_init_data( bson *b , char *data );
/**
* Initialize a BSON object, point its data pointer
* to the provided char*, and initialize the size
*
* @param b the BSON object to initialize.
* @param data the raw BSON data.
* @param size the size of the BSON data.
*
* @return BSON_OK or BSON_ERROR.
*/
int bson_init_data_size( bson *b , char *data , int size );
/** /**
* Initialize a BSON object, and point its data * Initialize a BSON object, and point its data
* pointer to the provided char*. We assume * pointer to the provided char*. We assume

2
src/client/GameSave.cpp
View File

@ -506,7 +506,7 @@ void GameSave::readOPS(char * data, int dataLength)
throw ParseException(ParseException::Corrupt, "Unable to decompress"); throw ParseException(ParseException::Corrupt, "Unable to decompress");
set_bson_err_handler(bson_error_handler); set_bson_err_handler(bson_error_handler);
bson_init_data(&b, (char*)bsonData); bson_init_data_size(&b, (char*)bsonData, bsonDataLen);
bson_iterator_init(&iter, &b); bson_iterator_init(&iter, &b);
std::vector<sign> tempSigns; std::vector<sign> tempSigns;