Commit 351b26fa authored by Richard van der Hoff's avatar Richard van der Hoff Committed by GitHub
Browse files

Merge pull request #28 from matrix-org/rav/fix_megolm_segfault

Fix a buffer bounds check when decoding group messages
parents 780203b0 1ff64391
...@@ -214,11 +214,13 @@ void olm::decode_message( ...@@ -214,11 +214,13 @@ void olm::decode_message(
reader.ciphertext = nullptr; reader.ciphertext = nullptr;
reader.ciphertext_length = 0; reader.ciphertext_length = 0;
if (pos == end) return;
if (input_length < mac_length) return; if (input_length < mac_length) return;
if (pos == end) return;
reader.version = *(pos++); reader.version = *(pos++);
while (pos != end) { while (pos != end) {
unknown = pos;
pos = decode( pos = decode(
pos, end, RATCHET_KEY_TAG, pos, end, RATCHET_KEY_TAG,
reader.ratchet_key, reader.ratchet_key_length reader.ratchet_key, reader.ratchet_key_length
...@@ -234,7 +236,6 @@ void olm::decode_message( ...@@ -234,7 +236,6 @@ void olm::decode_message(
if (unknown == pos) { if (unknown == pos) {
pos = skip_unknown(pos, end); pos = skip_unknown(pos, end);
} }
unknown = pos;
} }
} }
...@@ -303,6 +304,7 @@ void olm::decode_one_time_key_message( ...@@ -303,6 +304,7 @@ void olm::decode_one_time_key_message(
reader.version = *(pos++); reader.version = *(pos++);
while (pos != end) { while (pos != end) {
unknown = pos;
pos = decode( pos = decode(
pos, end, ONE_TIME_KEY_ID_TAG, pos, end, ONE_TIME_KEY_ID_TAG,
reader.one_time_key, reader.one_time_key_length reader.one_time_key, reader.one_time_key_length
...@@ -322,7 +324,6 @@ void olm::decode_one_time_key_message( ...@@ -322,7 +324,6 @@ void olm::decode_one_time_key_message(
if (unknown == pos) { if (unknown == pos) {
pos = skip_unknown(pos, end); pos = skip_unknown(pos, end);
} }
unknown = pos;
} }
} }
...@@ -377,9 +378,12 @@ void _olm_decode_group_message( ...@@ -377,9 +378,12 @@ void _olm_decode_group_message(
results->ciphertext_length = 0; results->ciphertext_length = 0;
if (input_length < trailer_length) return; if (input_length < trailer_length) return;
if (pos == end) return;
results->version = *(pos++); results->version = *(pos++);
while (pos != end) { while (pos != end) {
unknown = pos;
pos = decode( pos = decode(
pos, end, GROUP_MESSAGE_INDEX_TAG, pos, end, GROUP_MESSAGE_INDEX_TAG,
results->message_index, has_message_index results->message_index, has_message_index
...@@ -391,7 +395,6 @@ void _olm_decode_group_message( ...@@ -391,7 +395,6 @@ void _olm_decode_group_message(
if (unknown == pos) { if (unknown == pos) {
pos = skip_unknown(pos, end); pos = skip_unknown(pos, end);
} }
unknown = pos;
} }
results->has_message_index = (int)has_message_index; results->has_message_index = (int)has_message_index;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment