diff options
author | Richard van der Hoff <github@rvanderhoff.org.uk> | 2016-10-19 15:21:07 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-19 15:21:07 +0100 |
commit | 351b26fa6ef408a84eb5f29ef0ec9881eb72226b (patch) | |
tree | 1e82ce6bc60c3ea7d235ace1688b9e4ef1b64675 /src | |
parent | 780203b05410b7311dc55f245bba76cbe090a81e (diff) | |
parent | 1ff64391edf9f2e3180238271858698a5a6f30c6 (diff) |
Merge pull request #28 from matrix-org/rav/fix_megolm_segfault
Fix a buffer bounds check when decoding group messages
Diffstat (limited to 'src')
-rw-r--r-- | src/message.cpp | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/message.cpp b/src/message.cpp index 05fe2c7..1c11a4a 100644 --- a/src/message.cpp +++ b/src/message.cpp @@ -214,11 +214,13 @@ void olm::decode_message( reader.ciphertext = nullptr; reader.ciphertext_length = 0; - if (pos == end) return; if (input_length < mac_length) return; + + if (pos == end) return; reader.version = *(pos++); while (pos != end) { + unknown = pos; pos = decode( pos, end, RATCHET_KEY_TAG, reader.ratchet_key, reader.ratchet_key_length @@ -234,7 +236,6 @@ void olm::decode_message( if (unknown == pos) { pos = skip_unknown(pos, end); } - unknown = pos; } } @@ -303,6 +304,7 @@ void olm::decode_one_time_key_message( reader.version = *(pos++); while (pos != end) { + unknown = pos; pos = decode( pos, end, ONE_TIME_KEY_ID_TAG, reader.one_time_key, reader.one_time_key_length @@ -322,7 +324,6 @@ void olm::decode_one_time_key_message( if (unknown == pos) { pos = skip_unknown(pos, end); } - unknown = pos; } } @@ -377,9 +378,12 @@ void _olm_decode_group_message( results->ciphertext_length = 0; if (input_length < trailer_length) return; + + if (pos == end) return; results->version = *(pos++); while (pos != end) { + unknown = pos; pos = decode( pos, end, GROUP_MESSAGE_INDEX_TAG, results->message_index, has_message_index @@ -391,7 +395,6 @@ void _olm_decode_group_message( if (unknown == pos) { pos = skip_unknown(pos, end); } - unknown = pos; } results->has_message_index = (int)has_message_index; |