Harden Base64 bounds and JSON parser nesting#268
Open
idrassi wants to merge 2 commits into
Open
Conversation
cd6ef7a to
12eedc6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the
encodelibrary against memory-safety and stack-exhaustion bugs in Base64 size handling and the JSON parser.Base64
The previous
b64_encoded_sizecomputed4 * (data_size / 3) + 5in 32-bit arithmetic. For sufficiently largedata_sizethis overfloweduint32_tsilently and returned an undersized length. Callers such asi_encode_from_data()then allocated a too-small buffer and calledb64_encode, which wrote past the end of that buffer.This PR:
0fromb64_encoded_sizewhen the computed size is not safely representableUINT32_MAX - 1024, leaving a conservative 1024-byte safety margin below theuint32_tceiling instead of allowing allocations and string buffers at the absolute representable limitb64_encodethat returns0and writes an empty terminator when the caller's buffer is too smallb64_decode_ex, a bounds-checked decode API with an explicit destination size and*writtenout-parameterb64_decode_expreflight the decoded output size before writing, so failure from an undersized destination is non-partialIf JSON binary serialization encounters a binary payload whose Base64 output would exceed the accepted size range, it now emits
nullfor that field and marks the output stream corrupt instead of silently serializing the value as an empty string.JSON Parser
The JSON parser was mutually recursive across object, array, value, and skip/jump paths. Attacker-controlled JSON with sufficient nesting could exhaust the stack.
The parser's minus-token handling also used recursion: a long run of
-tokens could recurse throughi_new_tokenuntil stack exhaustion in release builds.This PR:
Compatibility
The existing
b64_encodeandb64_decodeAPIs remain available.b64_decode_exis added as the safer API for callers that need reliable bounds enforcement.This PR doesn't add strict Base64 syntax or padding validation; malformed input validation remains separate from buffer bounds hardening.