From 1d1758a971b038f485e3e1e94bc226f0ae42f76a Mon Sep 17 00:00:00 2001 From: Julius Pfrommer Date: Tue, 22 Oct 2024 21:47:15 +0200 Subject: [PATCH] refactor(core): Validate Variant ArrayLength against its ArrayDimensions during binary decode This lead to the fuzzer complaing since we hade the check for _encode but not for _decode. This is not a direct memory issue per se. But the consistency check allows early discovery of problematic values and can potentially remove bugs where the user relies on the array dimensions and the array length to match. --- src/ua_types_encoding_binary.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/ua_types_encoding_binary.c b/src/ua_types_encoding_binary.c index 7e1509267a6..ac3f7165b16 100644 --- a/src/ua_types_encoding_binary.c +++ b/src/ua_types_encoding_binary.c @@ -1093,9 +1093,18 @@ DECODE_BINARY(Variant) { } /* Decode array dimensions */ - if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) + if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) { ret |= Array_decodeBinary((void**)&dst->arrayDimensions, &dst->arrayDimensionsSize, &UA_TYPES[UA_TYPES_INT32], ctx); + /* Validate array length against array dimensions */ + size_t totalSize = 1; + for(size_t i = 0; i < dst->arrayDimensionsSize; ++i) { + if(dst->arrayDimensions[i] == 0) + return UA_STATUSCODE_BADDECODINGERROR; + totalSize *= dst->arrayDimensions[i]; + } + UA_CHECK(totalSize == dst->arrayLength, ret = UA_STATUSCODE_BADDECODINGERROR); + } ctx->depth--; return ret;