Fixed fuzz bug in MiniDescriptor parsing for extensions.

If the extension MiniDescriptor did not contain any fields, we would read an uninitialized value. We need to add a check that the extension descriptor contains exactly one field. PiperOrigin-RevId: 475075831
Cheney-W · Sep 18, 2022 · 6795ec1 · 6795ec1
1 parent 668cebb
commit 6795ec1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/upb/mini_table.c b/upb/mini_table.c
@@ -754,7 +754,10 @@ static const char* upb_MtDecoder_Parse(upb_MtDecoder* d, const char* ptr,
   while (ptr < d->end) {
     char ch = *ptr++;
     if (ch <= kUpb_EncodedValue_MaxField) {
-      if (!d->table && last_field) return --ptr;
+      if (!d->table && last_field) {
+        // For extensions, consume only a single field and then return.
+        return --ptr;
+      }
       upb_MiniTable_Field* field = fields;
       *field_count += 1;
       fields = (char*)fields + field_size;
@@ -1148,7 +1151,7 @@ const char* upb_MiniTable_BuildExtension(const char* data, size_t len,
   uint16_t count = 0;
   const char* ret =
       upb_MtDecoder_Parse(&decoder, data, len, ext, sizeof(*ext), &count, NULL);
-  if (!ret) return NULL;
+  if (!ret || count != 1) return NULL;
 
   upb_MiniTable_Field* f = &ext->field;
 

diff --git a/upb/msg_test.cc b/upb/msg_test.cc
@@ -570,4 +570,9 @@ TEST(MessageTest, MapField) {
 //       -696925610, -654590577);
 // }
 //
+// TEST(FuzzTest, ExtendMessageSetWithEmptyExtension) {
+//   DecodeEncodeArbitrarySchemaAndPayload({{"\n"}, {}, "_", {}}, std::string(), 0,
+//                                         0);
+// }
+//
 // end:google_only