• Kirill Smelkov's avatar
    decoder: Fix integer overflow in BYTEARRAY8 handling · 45fb14a6
    Kirill Smelkov authored
    Rerunning fuzzing afresh found the following crash because uint64 len > max(int64)
    was cast to int resulting in negative number:
    
        "\x960000000\xbd"
    
        panic: bytes.Buffer.Grow: negative count
    
        goroutine 1 [running]:
        bytes.(*Buffer).Grow(0xc000012140?, 0xc00010abf8?)
                /home/kirr/src/tools/go/go1.22/src/bytes/buffer.go:166 +0xb4
        github.com/kisielk/og-rek.(*Decoder).bufLoadBytesData(0xc000072000, 0xbd30303030303030)
                /home/kirr/src/neo/src/github.com/kisielk/og-rek/ogorek.go:788 +0xd5
        github.com/kisielk/og-rek.(*Decoder).bufLoadBinData8(0xc000072000)
                /home/kirr/src/neo/src/github.com/kisielk/og-rek/ogorek.go:776 +0x105
        github.com/kisielk/og-rek.(*Decoder).loadBytearray8(0xc000072000)
                /home/kirr/src/neo/src/github.com/kisielk/og-rek/ogorek.go:1270 +0x34
        github.com/kisielk/og-rek.(*Decoder).Decode(0xc000072000)
                /home/kirr/src/neo/src/github.com/kisielk/og-rek/ogorek.go:311 +0x1a2c
        github.com/kisielk/og-rek.Fuzz({0x7fd052187000, 0x9, 0x9})
                /home/kirr/src/neo/src/github.com/kisielk/og-rek/fuzz.go:15 +0xf6
        go-fuzz-dep.Main({0xc00010af38, 0x1, 0x5bc338?})
                go-fuzz-dep/main.go:36 +0x14c
        main.main()
                github.com/kisielk/og-rek/go.fuzz.main/main.go:15 +0x35
        exit status 2
    
    -> Fix it by first comparing uint64 len without casting and further casting to
    int only after we cap the len to be in safe range.
    45fb14a6
ogorek_test.go 34.8 KB