From 59393fc73bd0f2a9d626cb8abcae4f22f6027029 Mon Sep 17 00:00:00 2001 From: "J.-F. Cap" Date: Tue, 26 Feb 2019 02:28:24 +0100 Subject: [PATCH] Added some guards in ta_view unmarshalling to protect against bad marshalled data. --- src/core/typedarray.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/core/typedarray.c b/src/core/typedarray.c index 3e5ffac2..fb802ecf 100644 --- a/src/core/typedarray.c +++ b/src/core/typedarray.c @@ -165,6 +165,9 @@ static void ta_view_unmarshal(void *p, JanetMarshalContext *ctx) { janet_unmarshal_size(ctx, &offset); janet_unmarshal_janet(ctx, &buffer); view->buffer = (JanetTArrayBuffer *)janet_unwrap_abstract(buffer); + size_t buf_need_size = offset + (janet_tarray_type_size(view->type)) * ((view->size - 1) * view->stride + 1); + if (view->buffer->size < buf_need_size) + janet_panic("bad typed array offset in marshalled data"); view->data = view->buffer->data + offset; }