From 3f5e09a0df18201e30a202a2074dc0c0a283c01b Mon Sep 17 00:00:00 2001 From: Barinzaya Date: Tue, 29 Apr 2025 08:19:43 -0400 Subject: [PATCH] Fixed an overflow when decoding a large CBOR slice. The initial allocation for the slice is limited to prevent untrusted data from forcing a huge allocation, but then the dynamic array was created with a capacity of the unlimited length, rather than the actual capacity of the allocation. This was causing a buffer overrun. --- core/encoding/cbor/unmarshal.odin | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/encoding/cbor/unmarshal.odin b/core/encoding/cbor/unmarshal.odin index f752c5275..24bbd8137 100644 --- a/core/encoding/cbor/unmarshal.odin +++ b/core/encoding/cbor/unmarshal.odin @@ -493,7 +493,7 @@ _unmarshal_array :: proc(d: Decoder, v: any, ti: ^reflect.Type_Info, hdr: Header data := mem.alloc_bytes_non_zeroed(t.elem.size * scap, t.elem.align, allocator=allocator, loc=loc) or_return defer if err != nil { mem.free_bytes(data, allocator=allocator, loc=loc) } - da := mem.Raw_Dynamic_Array{raw_data(data), 0, length, context.allocator } + da := mem.Raw_Dynamic_Array{raw_data(data), 0, scap, context.allocator } assign_array(d, &da, t.elem, length) or_return