Merge pull request #25 from neosilky/panic-fix

Sanity checks for vector length
2017-06-07 16:07:53 +00:00 · 2017-06-07 16:07:53 +00:00 · 287d285214
parent 9a0aeb8646 3cf1ccf8f8
commit 287d285214
4 changed files with 45 additions and 1 deletions
--- a/fuzz/.gitignore
+++ b/fuzz/.gitignore
@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -0,0 +1,22 @@
+
+[package]
+name = "bitcoin-fuzz"
+version = "0.0.1"
+authors = ["Automatically generated"]
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies.bitcoin]
+path = ".."
+[dependencies.libfuzzer-sys]
+git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "fuzzer_script_1"
+path = "fuzzers/fuzzer_script_1.rs"
--- a/fuzz/fuzzers/fuzzer_script_1.rs
+++ b/fuzz/fuzzers/fuzzer_script_1.rs
@ -0,0 +1,13 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate bitcoin;
+
+type BResult = Result<bitcoin::blockdata::script::Script, bitcoin::util::Error>;
+//type BResult = Result<bitcoin::blockdata::transaction::Transaction, bitcoin::util::Error>;
+//type BResult = Result<bitcoin::blockdata::transaction::TxIn, bitcoin::util::Error>;
+//type BResult = Result<bitcoin::blockdata::transaction::TxOut, bitcoin::util::Error>;
+//type BResult = Result<bitcoin::network::constants::Network, bitcoin::util::Error>;
+
+fuzz_target!(|data: &[u8]| {
+    let _: BResult = bitcoin::network::serialize::deserialize(data);
+});
--- a/src/network/encodable.rs
+++ b/src/network/encodable.rs
@ -188,7 +188,9 @@ impl<D: SimpleDecoder, T: ConsensusDecodable<D>> ConsensusDecodable<D> for Vec<T
    #[inline]
    fn consensus_decode(d: &mut D) -> Result<Vec<T>, D::Error> {
        let VarInt(len): VarInt = try!(ConsensusDecodable::consensus_decode(d));
-        let byte_size = len as usize * mem::size_of::<T>();
+        let byte_size = try!((len as usize)
+                            .checked_mul(mem::size_of::<T>())
+                            .ok_or(d.error("Invalid length".to_owned())));
        if byte_size > MAX_VEC_SIZE {
            return Err(d.error(format!("tried to allocate vec of size {} (max {})", byte_size, MAX_VEC_SIZE)));
        }
@ -208,6 +210,9 @@ impl<D: SimpleDecoder, T: ConsensusDecodable<D>> ConsensusDecodable<D> for Box<[
    fn consensus_decode(d: &mut D) -> Result<Box<[T]>, D::Error> {
        let VarInt(len): VarInt = try!(ConsensusDecodable::consensus_decode(d));
        let len = len as usize;
+        if len > MAX_VEC_SIZE {
+            return Err(d.error(format!("tried to allocate vec of size {} (max {})", len, MAX_VEC_SIZE)));
+        }
        let mut ret = Vec::with_capacity(len);
        for _ in 0..len { ret.push(try!(ConsensusDecodable::consensus_decode(d))); }
        Ok(ret.into_boxed_slice())