refactor(core): Validate Variant ArrayLength against its ArrayDimensi…

…ons during binary decode This lead to the fuzzer complaing since we hade the check for _encode but not for _decode. This is not a direct memory issue per se. But the consistency check allows early discovery of problematic values and can potentially remove bugs where the user relies on the array dimensions and the array length to match.
jpfr · Oct 22, 2024 · 1d1758a · 1d1758a
1 parent 740a449
commit 1d1758a
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/ua_types_encoding_binary.c b/src/ua_types_encoding_binary.c
@@ -1093,9 +1093,18 @@ DECODE_BINARY(Variant) {
     }
 
     /* Decode array dimensions */
-    if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0)
+    if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) {
         ret |= Array_decodeBinary((void**)&dst->arrayDimensions, &dst->arrayDimensionsSize,
                                   &UA_TYPES[UA_TYPES_INT32], ctx);
+        /* Validate array length against array dimensions */
+        size_t totalSize = 1;
+        for(size_t i = 0; i < dst->arrayDimensionsSize; ++i) {
+            if(dst->arrayDimensions[i] == 0)
+                return UA_STATUSCODE_BADDECODINGERROR;
+            totalSize *= dst->arrayDimensions[i];
+        }
+        UA_CHECK(totalSize == dst->arrayLength, ret = UA_STATUSCODE_BADDECODINGERROR);
+    }
 
     ctx->depth--;
     return ret;