Be strict about maxPayloadLength in inflate

yongju-hong · Jan 1, 2020 · bbbe3bd · bbbe3bd
1 parent 6fe5ea4
commit bbbe3bd
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/fuzzing/PerMessageDeflate.cpp b/fuzzing/PerMessageDeflate.cpp
@@ -24,7 +24,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         std::string_view inflation = staticData.inflationStream.inflate(&staticData.zlibContext, std::string_view((char *) data, size), 256);
         if (inflation.length() > 256) {
             /* Cause ASAN to freak out */
-            //delete (int *) (void *) 1;
+            delete (int *) (void *) 1;
         }
     });
 

diff --git a/src/PerMessageDeflate.h b/src/PerMessageDeflate.h
@@ -161,9 +161,20 @@ struct InflationStream {
 
         if (zlibContext->dynamicInflationBuffer.length()) {
             zlibContext->dynamicInflationBuffer.append(zlibContext->inflationBuffer, LARGE_BUFFER_SIZE - inflationStream.avail_out);
+
+            /* Let's be strict about the max size */
+            if (zlibContext->dynamicInflationBuffer.length() > maxPayloadLength) {
+                return {nullptr, 0};
+            }
+
             return {zlibContext->dynamicInflationBuffer.data(), zlibContext->dynamicInflationBuffer.length()};
         }
 
+        /* Let's be strict about the max size */
+        if ((LARGE_BUFFER_SIZE - inflationStream.avail_out) > maxPayloadLength) {
+            return {nullptr, 0};
+        }
+
         return {zlibContext->inflationBuffer, LARGE_BUFFER_SIZE - inflationStream.avail_out};
     }