From a4b2927884ded37556ea5009e10fffe12d8a6706 Mon Sep 17 00:00:00 2001
From: Mark Haines <mark.haines@matrix.org>
Date: Fri, 7 Aug 2015 18:58:42 +0100
Subject: Initialise the length fields of the reader struct in decode_message,
 even if the message is invalid, fixes a crash where the message was too short

---
 src/message.cpp | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'src/message.cpp')

diff --git a/src/message.cpp b/src/message.cpp
index 8e807fd..ffb9f6c 100644
--- a/src/message.cpp
+++ b/src/message.cpp
@@ -204,13 +204,16 @@ void olm::decode_message(
     std::uint8_t const * end = input + input_length - mac_length;
     std::uint8_t const * unknown = nullptr;
 
-    if (pos == end) return;
-    reader.version = *(pos++);
     reader.input = input;
     reader.input_length = input_length;
     reader.has_counter = false;
     reader.ratchet_key = nullptr;
+    reader.ratchet_key_length = 0;
     reader.ciphertext = nullptr;
+    reader.ciphertext_length = 0;
+
+    if (pos == end) return;
+    reader.version = *(pos++);
 
     while (pos != end) {
         pos = decode(
@@ -284,12 +287,17 @@ void olm::decode_one_time_key_message(
     std::uint8_t const * end = input + input_length;
     std::uint8_t const * unknown = nullptr;
 
-    if (pos == end) return;
-    reader.version = *(pos++);
     reader.one_time_key = nullptr;
+    reader.one_time_key_length = 0;
     reader.identity_key = nullptr;
+    reader.identity_key_length = 0;
     reader.base_key = nullptr;
+    reader.base_key_length = 0;
     reader.message = nullptr;
+    reader.message_length = 0;
+
+    if (pos == end) return;
+    reader.version = *(pos++);
 
     while (pos != end) {
         pos = decode(
-- 
cgit v1.2.3