fix: validate context() restore inputs to prevent buffer overread#39
Draft
toddr-bot wants to merge 1 commit into
Draft
fix: validate context() restore inputs to prevent buffer overread#39toddr-bot wants to merge 1 commit into
toddr-bot wants to merge 1 commit into
Conversation
The context() method, when called with arguments to restore internal state, reads exactly 16 bytes from the state buffer without checking its length. A short string causes a heap buffer overread. Similarly, the optional unprocessed-data argument should be at most 63 bytes (one partial block) but was passed through unchecked. Add croak() guards for both conditions and corresponding tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add length validation in
context()restore path before reading from user-supplied buffers.Why
The
context()4-argument restore form reads 16 bytes from the state buffer (arg 2) without checkingSvPVlength. A short string causes an out-of-bounds read. Similarly, no validation on the unprocessed data argument (arg 4) — values over 63 bytes are invalid for MD5 block state.This is a buffer overread, not a write — but it can leak adjacent memory contents through the reconstructed digest state, making it a potential information disclosure vector.
How
len < 16for the state buffer; croak with a clear messagelen > 63for the unprocessed data buffer; croak similarlyt/context.tverifying both validation pathsTesting
make testpasses. New tests exercise both the too-short state and too-long data error paths.Port of gisle/digest-md5#25.
Part of tracking issue #38.