Merge pull request #1885 from UnderminersTeam/add-negative-length-checks

Add negative length checks during deserialization

UndertaleModLib/Models/UndertaleSprite.cs

@@ -764,13 +764,13 @@ public static uint UnserializeChildObjectCount(UndertaleReader reader)
                     switch (spineVersion)
                     {
                         case 1:
-                            reader.Position += 8 + jsonLength + atlasLength + textures;
+                            reader.Position += 8 + (uint)jsonLength + (uint)atlasLength + (uint)textures;
                             break;
 
                         case 2:
                         case 3:
                         {
-                            reader.Position += jsonLength + atlasLength;
+                            reader.Position += (uint)jsonLength + (uint)atlasLength;
 
                             // TODO: make this return count instead if spine sprite
                             // couldn't have sequence or nine slices data.

UndertaleModLib/UndertaleChunks.cs

@@ -1167,7 +1167,7 @@ private void CheckForTileCompression(UndertaleReader reader)
 
                     reader.Position += 32;
                     int effectCount = reader.ReadInt32();
-                    reader.Position += effectCount * 12 + 4;
+                    reader.Position += (uint)effectCount * 12 + 4;
 
                     int tileMapWidth = reader.ReadInt32();
                     int tileMapHeight = reader.ReadInt32();

UndertaleModLib/Util/AdaptiveBinaryReader.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -86,7 +86,7 @@ public long AbsPosition
             {
                 if (isUsingBufferReader)
                 {
-                    if (value > Length)
+                    if (value < 0 || value > Length)
                         throw new IOException("Reading out of bounds.");
                     bufferBinaryReader.Position = value - bufferBinaryReader.ChunkStartPosition + 8;
                 }

UndertaleModLib/Util/BufferBinaryReader.cs

@@ -27,6 +27,11 @@ public ChunkBuffer(int capacity)
 
             public int Read(byte[] buffer, int count)
             {
+                if (count < 0)
+                {
+                    throw new ArgumentOutOfRangeException(nameof(count));
+                }
+
                 int n = _length - _position;
                 if (n > count)
                     n = count;
@@ -75,6 +80,9 @@ public byte ReadByte()
 
             public void Write(byte[] buffer, int count)
             {
+                if (count < 0)
+                    throw new ArgumentOutOfRangeException(nameof(count));
+
                 int i = _position + count;
                 if (i < 0)
                     throw new IOException("Writing out of the chunk buffer bounds.");
@@ -174,6 +182,10 @@ public virtual bool ReadBoolean()
 
         public string ReadChars(int count)
         {
+            if (count < 0)
+            {
+                throw new ArgumentOutOfRangeException(nameof(count));
+            }
             if (chunkBuffer.Position + count > _length)
             {
                 throw new IOException("Reading out of chunk bounds");
@@ -198,6 +210,10 @@ public string ReadChars(int count)
 
         public byte[] ReadBytes(int count)
         {
+            if (count < 0)
+            {
+                throw new ArgumentOutOfRangeException(nameof(count));
+            }
             if (chunkBuffer.Position + count > _length)
             {
                 throw new IOException("Reading out of chunk bounds");
@@ -268,6 +284,8 @@ public string ReadGMString()
 
             int length = BinaryPrimitives.ReadInt32LittleEndian(ReadToBuffer(4));
 
+            if (length < 0)
+                throw new IOException("Invalid string length");
             if (chunkBuffer.Position + length + 1 >= _length)
                 throw new IOException("Reading out of chunk bounds");
 
@@ -293,9 +311,12 @@ public string ReadGMString()
 
             return res;
         }
+
         public void SkipGMString()
         {
             int length = BinaryPrimitives.ReadInt32LittleEndian(ReadToBuffer(4));
+            if (length < 0)
+                throw new IOException("Invalid string length");
             Position += (uint)length + 1;
         }
 

UndertaleModLib/Util/FileBinaryReader.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Buffers.Binary;
 using System.IO;
 using System.Text;
@@ -62,6 +62,10 @@ public virtual bool ReadBoolean()
 
         public string ReadChars(int count)
         {
+            if (count < 0)
+            {
+                throw new ArgumentOutOfRangeException(nameof(count));
+            }
             if (Stream.Position + count > _length)
             {
                 throw new IOException("Reading out of bounds");
@@ -85,6 +89,10 @@ public string ReadChars(int count)
 
         public byte[] ReadBytes(int count)
         {
+            if (count < 0)
+            {
+                throw new ArgumentOutOfRangeException(nameof(count));
+            }
             if (Stream.Position + count > _length)
             {
                 throw new IOException("Reading out of bounds");
@@ -204,6 +212,8 @@ public string ReadGMString()
 
             int length = BinaryPrimitives.ReadInt32LittleEndian(ReadToBuffer(4));
 
+            if (length < 0)
+                throw new IOException("Invalid string length");
             if (Stream.Position + length + 1 >= _length)
                 throw new IOException("Reading out of bounds");
 
@@ -232,6 +242,8 @@ public string ReadGMString()
         public void SkipGMString()
         {
             int length = BinaryPrimitives.ReadInt32LittleEndian(ReadToBuffer(4));
+            if (length < 0)
+                throw new IOException("Invalid string length");
             Position += (uint)length + 1;
         }