From fd07f15edcf74de2fb997bd1688872a1e6892de8 Mon Sep 17 00:00:00 2001 From: Ali <> Date: Wed, 22 Feb 2023 20:58:08 +0400 Subject: [PATCH] Defensive Coding --- submodules/Postbox/Sources/Coding.swift | 100 +++++++++++++++++++----- 1 file changed, 80 insertions(+), 20 deletions(-) diff --git a/submodules/Postbox/Sources/Coding.swift b/submodules/Postbox/Sources/Coding.swift index fdbabbf8ef..794aacb0bb 100644 --- a/submodules/Postbox/Sources/Coding.swift +++ b/submodules/Postbox/Sources/Coding.swift @@ -727,27 +727,57 @@ public final class PostboxDecoder { case .Double: offset += 8 case .String: - var length: Int32 = 0 - memcpy(&length, bytes + offset, 4) - offset += 4 + Int(length) + if offset + 4 > length { + offset = 0 + return false + } + + var valueLength: Int32 = 0 + memcpy(&valueLength, bytes + offset, 4) + offset += 4 + Int(valueLength) case .Object: - var length: Int32 = 0 - memcpy(&length, bytes + (offset + 4), 4) - offset += 8 + Int(length) + if offset + 4 > length { + offset = 0 + return false + } + + var valueLength: Int32 = 0 + memcpy(&valueLength, bytes + (offset + 4), 4) + offset += 8 + Int(valueLength) case .Int32Array: - var length: Int32 = 0 - memcpy(&length, bytes + offset, 4) - offset += 4 + Int(length) * 4 + if offset + 4 > length { + offset = 0 + return false + } + + var valueLength: Int32 = 0 + memcpy(&valueLength, bytes + offset, 4) + offset += 4 + Int(valueLength) * 4 case .Int64Array: - var length: Int32 = 0 - memcpy(&length, bytes + offset, 4) - offset += 4 + Int(length) * 8 + if offset + 4 > length { + offset = 0 + return false + } + + var valueLength: Int32 = 0 + memcpy(&valueLength, bytes + offset, 4) + offset += 4 + Int(valueLength) * 8 case .ObjectArray: + if offset + 4 > length { + offset = 0 + return false + } + var subLength: Int32 = 0 memcpy(&subLength, bytes + offset, 4) offset += 4 var i: Int32 = 0 while i < subLength { + if offset + 4 + 4 > length { + offset = 0 + return false + } + var objectLength: Int32 = 0 memcpy(&objectLength, bytes + (offset + 4), 4) offset += 8 + Int(objectLength) @@ -759,32 +789,62 @@ public final class PostboxDecoder { } return true case .ObjectDictionary: - var length: Int32 = 0 - memcpy(&length, bytes + offset, 4) + if offset + 4 > length { + offset = 0 + return false + } + + var valueLength: Int32 = 0 + memcpy(&valueLength, bytes + offset, 4) offset += 4 var i: Int32 = 0 - while i < length { + while i < valueLength { + if offset + 4 + 4 > length { + offset = 0 + return false + } + var keyLength: Int32 = 0 memcpy(&keyLength, bytes + (offset + 4), 4) offset += 8 + Int(keyLength) + if offset + 4 + 4 > length { + offset = 0 + return false + } + var valueLength: Int32 = 0 memcpy(&valueLength, bytes + (offset + 4), 4) offset += 8 + Int(valueLength) i += 1 } case .Bytes: - var length: Int32 = 0 - memcpy(&length, bytes + offset, 4) - offset += 4 + Int(length) + if offset + 4 > length { + offset = 0 + return false + } + + var valueLength: Int32 = 0 + memcpy(&valueLength, bytes + offset, 4) + offset += 4 + Int(valueLength) case .Nil: break case .StringArray, .BytesArray: - var length: Int32 = 0 - memcpy(&length, bytes + offset, 4) + if offset + 4 > length { + offset = 0 + return false + } + + var valueLength: Int32 = 0 + memcpy(&valueLength, bytes + offset, 4) offset += 4 var i: Int32 = 0 while i < length { + if offset + 4 > length { + offset = 0 + return false + } + var stringLength: Int32 = 0 memcpy(&stringLength, bytes + offset, 4) offset += 4 + Int(stringLength)