diff --git a/src/core/marsh.c b/src/core/marsh.c index f0728d98..ef22de0d 100644 --- a/src/core/marsh.c +++ b/src/core/marsh.c @@ -711,8 +711,9 @@ static const uint8_t *unmarshal_one_env( JanetFuncEnv *env = janet_gcalloc(JANET_MEMORY_FUNCENV, sizeof(JanetFuncEnv)); env->length = 0; env->offset = 0; + env->as.values = NULL; janet_v_push(st->lookup_envs, env); - int32_t offset = readint(st, &data); + int32_t offset = readnat(st, &data); int32_t length = readnat(st, &data); if (offset > 0) { Janet fiberv; @@ -727,6 +728,9 @@ static const uint8_t *unmarshal_one_env( janet_panic("invalid funcenv length"); } else { /* Off stack variant */ + if (length == 0) { + janet_panic("invalid funcenv length"); + } env->as.values = malloc(sizeof(Janet) * (size_t) length); if (!env->as.values) { JANET_OUT_OF_MEMORY; @@ -980,6 +984,9 @@ static const uint8_t *unmarshal_one_fiber( frameflags &= ~JANET_STACKFRAME_HASENV; int32_t offset = stack; int32_t length = stacktop - stack; + if (length <= 0) { + janet_panic("invalid funcenv length"); + } data = unmarshal_one_env(st, data, &env, flags + 1); if (env->offset != 0 && env->offset != offset) janet_panic("funcenv offset does not match fiber frame"); diff --git a/test/suite8.janet b/test/suite8.janet index 8b9e0ea0..2ab968a4 100644 --- a/test/suite8.janet +++ b/test/suite8.janet @@ -213,5 +213,13 @@ (assert-error "unmarshal errors 1" (unmarshal @"\xd6\xb9\xb9")) (assert-error "unmarshal errors 2" (unmarshal @"\xd7bc")) (assert-error "unmarshal errors 3" (unmarshal "\xd3\x01\xd9\x01\x62\xcf\x03\x78\x79\x7a" load-image-dict)) +(assert-error "unmarshal errors 4" + (unmarshal + @"\xD7\xCD\0e/p\x98\0\0\x03\x01\x01\x01\x02\0\0\x04\0\xCEe/p../tools + \0\0\0/afl\0\0\x01\0erate\xDE\xDE\xDE\xDE\xDE\xDE\xDE\xDE\xDE\xDE + \xA8\xDE\xDE\xDE\xDE\xDE\xDE\0\0\0\xDE\xDE_unmarshal_testcase3.ja + neldb\0\0\0\xD8\x05printG\x01\0\xDE\xDE\xDE'\x03\0marshal_tes/\x02 + \0\0\0\0\0*\xFE\x01\04\x02\0\0'\x03\0\r\0\r\0\r\0\r" load-image-dict)) + (end-suite)