internal/impl: fix validator bytes field length decoding

Missing a bounds check on the first byte. Change-Id: I089fa8dcc1a14d11faca1acba758b6b811b16ac4 Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/216957 Reviewed-by: Joe Tsai <joetsai@google.com>
2025-01-17 01:12:51 +00:00 · 2020-01-29 15:55:53 -08:00 · 2020-01-29 15:55:53 -08:00 · 6f2977906d
commit 6f2977906d
parent c70f5d59d1
2 changed files with 21 additions and 1 deletions
--- a/internal/impl/validate.go
+++ b/internal/impl/validate.go
@ -414,7 +414,7 @@ State:
 				continue State
 			case wire.BytesType:
 				var size uint64
-				if b[0] < 0x80 {
+				if len(b) >= 1 && b[0] < 0x80 {
 					size = uint64(b[0])
 					b = b[1:]
 				} else if len(b) >= 2 && b[1] < 128 {
--- a/proto/testmessages_test.go
+++ b/proto/testmessages_test.go
@ -2068,4 +2068,24 @@ var testInvalidMessages = []testProto{
 			}},
 		}.Marshal(),
 	},
+	{
+		desc: "varint field overruns message",
+		decodeTo: []proto.Message{
+			(*testpb.TestAllTypes)(nil),
+			(*testpb.TestAllExtensions)(nil),
+		},
+		wire: pack.Message{
+			pack.Tag{1, pack.VarintType},
+		}.Marshal(),
+	},
+	{
+		desc: "bytes field lacks size",
+		decodeTo: []proto.Message{
+			(*testpb.TestAllTypes)(nil),
+			(*testpb.TestAllExtensions)(nil),
+		},
+		wire: pack.Message{
+			pack.Tag{18, pack.BytesType},
+		}.Marshal(),
+	},
 }