aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRichard van der Hoff <github@rvanderhoff.org.uk>2016-10-19 15:21:07 +0100
committerGitHub <noreply@github.com>2016-10-19 15:21:07 +0100
commit351b26fa6ef408a84eb5f29ef0ec9881eb72226b (patch)
tree1e82ce6bc60c3ea7d235ace1688b9e4ef1b64675 /src
parent780203b05410b7311dc55f245bba76cbe090a81e (diff)
parent1ff64391edf9f2e3180238271858698a5a6f30c6 (diff)
Merge pull request #28 from matrix-org/rav/fix_megolm_segfault
Fix a buffer bounds check when decoding group messages
Diffstat (limited to 'src')
-rw-r--r--src/message.cpp11
1 files changed, 7 insertions, 4 deletions
diff --git a/src/message.cpp b/src/message.cpp
index 05fe2c7..1c11a4a 100644
--- a/src/message.cpp
+++ b/src/message.cpp
@@ -214,11 +214,13 @@ void olm::decode_message(
reader.ciphertext = nullptr;
reader.ciphertext_length = 0;
- if (pos == end) return;
if (input_length < mac_length) return;
+
+ if (pos == end) return;
reader.version = *(pos++);
while (pos != end) {
+ unknown = pos;
pos = decode(
pos, end, RATCHET_KEY_TAG,
reader.ratchet_key, reader.ratchet_key_length
@@ -234,7 +236,6 @@ void olm::decode_message(
if (unknown == pos) {
pos = skip_unknown(pos, end);
}
- unknown = pos;
}
}
@@ -303,6 +304,7 @@ void olm::decode_one_time_key_message(
reader.version = *(pos++);
while (pos != end) {
+ unknown = pos;
pos = decode(
pos, end, ONE_TIME_KEY_ID_TAG,
reader.one_time_key, reader.one_time_key_length
@@ -322,7 +324,6 @@ void olm::decode_one_time_key_message(
if (unknown == pos) {
pos = skip_unknown(pos, end);
}
- unknown = pos;
}
}
@@ -377,9 +378,12 @@ void _olm_decode_group_message(
results->ciphertext_length = 0;
if (input_length < trailer_length) return;
+
+ if (pos == end) return;
results->version = *(pos++);
while (pos != end) {
+ unknown = pos;
pos = decode(
pos, end, GROUP_MESSAGE_INDEX_TAG,
results->message_index, has_message_index
@@ -391,7 +395,6 @@ void _olm_decode_group_message(
if (unknown == pos) {
pos = skip_unknown(pos, end);
}
- unknown = pos;
}
results->has_message_index = (int)has_message_index;