Skip to content

Commit

Permalink
fix: serialize buffer size check
Browse files Browse the repository at this point in the history 
During the check that we dont overflow the serialization buffer we
erroneously checked with size(uint32_t) == 1 which could cause us to
crash with some input strings.

Signed-off-by: Michael Hoffmann <[email protected]>
  • Loading branch information
@MichaHoffmann
MichaHoffmann committed Jun 8, 2024
1 parent e936d3f commit caf14e2
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
5 changes: 3 additions & 2 deletions dialects/terraform/src/scanner.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,13 +131,14 @@ static unsigned serialize(Scanner *scanner, char *buf) {
size += sizeof(uint32_t);
for (int i = 0; i < scanner->context_stack.len; i++) {
Context *context = &scanner->context_stack.data[i];
if (size + 2 + context->heredoc_identifier.len >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) {
if (size + 1 + sizeof(uint32_t) + context->heredoc_identifier.len >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) {
return 0;
}
if (context->heredoc_identifier.len > CHAR_MAX) {
return 0;
}
buf[size++] = context->type;
memcpy(&buf[size], &(context->type), 1);
size += 1;
memcpy(&buf[size], &(context->heredoc_identifier.len), sizeof(uint32_t));
size += sizeof(uint32_t);
memcpy(&buf[size], context->heredoc_identifier.data, context->heredoc_identifier.len);
Expand Down
5 changes: 3 additions & 2 deletions src/scanner.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,13 +131,14 @@ static unsigned serialize(Scanner *scanner, char *buf) {
size += sizeof(uint32_t);
for (int i = 0; i < scanner->context_stack.len; i++) {
Context *context = &scanner->context_stack.data[i];
if (size + 2 + context->heredoc_identifier.len >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) {
if (size + 1 + sizeof(uint32_t) + context->heredoc_identifier.len >= TREE_SITTER_SERIALIZATION_BUFFER_SIZE) {
return 0;
}
if (context->heredoc_identifier.len > CHAR_MAX) {
return 0;
}
buf[size++] = context->type;
memcpy(&buf[size], &(context->type), 1);
size += 1;
memcpy(&buf[size], &(context->heredoc_identifier.len), sizeof(uint32_t));
size += sizeof(uint32_t);
memcpy(&buf[size], context->heredoc_identifier.data, context->heredoc_identifier.len);
Expand Down

0 comments on commit caf14e2

Please sign in to comment.