Skip to content

Fix buffer overrun in get_bool() #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 15, 2025
Merged

Fix buffer overrun in get_bool() #133

merged 1 commit into from
Jul 15, 2025

Conversation

kkaefer
Copy link
Member

@kkaefer kkaefer commented Jul 11, 2025
edited
Loading

A truncated buffer could lead to an out of bounds memory access when calling get_bool(). Instead of checking the buffer before we are accessing the first byte beyond the end of the before, we first read it and then checked it. This change reverses the actions so that no out-of-bounds read occurs.

We have not found this bug in our previous fuzzing because of the way we read the test data: std::string always adds a trailing NUL byte so that it can be trivially converted to a C string. Technically, this trailing NUL byte is part of the buffer, but is not returned as part of the buffer length. Therefore, accessing a single byte beyond the end of the buffer did not trigger the address sanitizer.

@kkaefer kkaefer requested a review from joto July 11, 2025 14:23
@kkaefer kkaefer added the bug label Jul 11, 2025
@kkaefer
Fix buffer overrun for truncated bools
72802a4 
A truncated buffer could lead to an out of bounds memory access. Instead of checking the buffer before we are accessing the first byte beyond the end of the before, we first read it and _then_ checked it. This change reverses the actions so that no out-of-bounds read occurs.

We have not found this bug in our previous fuzzing because of the way we read the test data: std::string always adds a trailing 0 byte so that it can be trivially converted to a C string. Technically, this trailing 0 byte is part of the buffer, but is not returned as part of the buffer length. Therefore, accessing a single byte beyond the end of the buffer did not trigger the address sanitizer.
joto
joto approved these changes Jul 15, 2025
View reviewed changes
Copy link
Collaborator

@joto joto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Looks good to me.

@joto joto merged commit 67e3247 into master Jul 15, 2025
56 checks passed
@kkaefer kkaefer deleted the kk/bool-overrun branch July 15, 2025 16:00
artemp added a commit to mapnik/mapnik that referenced this pull request Jul 17, 2025
@artemp
Upgrade to v1.8.1 (mapbox/protozero#133)
f84842c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joto joto joto approved these changes

@olegfedorovdev olegfedorovdev olegfedorovdev approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kkaefer @joto @olegfedorovdev