🚑 fix for #411 and #412

2025-07-22 15:21:52 +03:00 · 2017-01-01 15:28:01 +01:00
parent d7029c37aa
commit cf9bf2d913
3 changed files with 61 additions and 14 deletions
--- a/test/src/unit-regression.cpp
+++ b/test/src/unit-regression.cpp
@ -610,4 +610,57 @@ TEST_CASE("regression tests")
        CHECK_THROWS_AS(json::from_cbor(vec2), std::out_of_range);
        CHECK_THROWS_AS(json::from_msgpack(vec2), std::out_of_range);
    }
+
+    SECTION("issue #411 - Heap-buffer-overflow (OSS-Fuzz issue 366)")
+    {
+        // original test case: empty UTF-8 string (indefinite length)
+        std::vector<uint8_t> vec1 {0x7f};
+        CHECK_THROWS_AS(json::from_cbor(vec1), std::out_of_range);
+
+        // related test case: empty array (indefinite length)
+        std::vector<uint8_t> vec2 {0x9f};
+        CHECK_THROWS_AS(json::from_cbor(vec2), std::out_of_range);
+
+        // related test case: empty map (indefinite length)
+        std::vector<uint8_t> vec3 {0xbf};
+        CHECK_THROWS_AS(json::from_cbor(vec3), std::out_of_range);
+    }
+
+    SECTION("issue #412 - Heap-buffer-overflow (OSS-Fuzz issue 367)")
+    {
+        // original test case
+        std::vector<uint8_t> vec
+        {
+            0xab, 0x98, 0x98, 0x98, 0x98, 0x98, 0x98, 0x98,
+            0x98, 0x98, 0x98, 0x98, 0x98, 0x00, 0x00, 0x00,
+            0x60, 0xab, 0x98, 0x98, 0x98, 0x98, 0x98, 0x98,
+            0x98, 0x98, 0x98, 0x98, 0x98, 0x00, 0x00, 0x00,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0xa0, 0x9f,
+            0x9f, 0x97, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
+            0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60
+        };
+        CHECK_THROWS_AS(json::from_cbor(vec), std::out_of_range);
+
+        // related test case: nonempty UTF-8 string (indefinite length)
+        std::vector<uint8_t> vec1 {0x7f, 0x61, 0x61};
+        CHECK_THROWS_AS(json::from_cbor(vec1), std::out_of_range);
+
+        // related test case: nonempty array (indefinite length)
+        std::vector<uint8_t> vec2 {0x9f, 0x01};
+        CHECK_THROWS_AS(json::from_cbor(vec2), std::out_of_range);
+
+        // related test case: nonempty map (indefinite length)
+        std::vector<uint8_t> vec3 {0xbf, 0x61, 0x61, 0x01};
+        CHECK_THROWS_AS(json::from_cbor(vec3), std::out_of_range);
+    }
 }