18 lines
981 B
Diff
18 lines
981 B
Diff
|
Author: Guido Vranken <guidovranken@gmail.com>
|
||
|
|
Description: pointer overflow in zmq::v2_decoder_t::size_ready
|
||
|
|
leading to remote code execution (issue #3351).
|
||
|
|
Refactor bounds check arithmetic such that no overflow shall occur
|
||
|
|
Origin: https://github.com/zeromq/libzmq/pull/3353
|
||
|
|
Applied-Upstream: 1a2ed12716693073032d57dac4e269df3d373751
|
||
|
|
--- a/src/v2_decoder.cpp
|
||
|
|
+++ b/src/v2_decoder.cpp
|
||
|
|
@@ -108,7 +108,7 @@ int zmq::v2_decoder_t::size_ready(uint64_t msg_size, unsigned char const* read_p
|
||
|
|
// the current message can exceed the current buffer. We have to copy the buffer
|
||
|
|
// data into a new message and complete it in the next receive.
|
||
|
|
|
||
|
|
- if (unlikely ((unsigned char*)read_pos + msg_size > (data() + size())))
|
||
|
|
+ if (unlikely (msg_size > (size_t) (data () + size () - read_pos)))
|
||
|
|
{
|
||
|
|
// a new message has started, but the size would exceed the pre-allocated arena
|
||
|
|
// this happens every time when a message does not fit completely into the buffer
|