Skip to content

Commit cf77050

Browse files
protobuf-github-botcopybara-github
protobuf-github-bot
authored and
copybara-github
committed
Overflow checks for attempting to insert massive strings into strtable
PiperOrigin-RevId: 738079034
1 parent 71d18b7 commit cf77050

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

upb/hash/common.c

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -287,12 +287,18 @@ static size_t begin(const upb_table* t) { return next(t, -1); }
287287
*/
288288

289289
static upb_key strcopy(lookupkey_t k2, upb_Arena* a) {
290+
// A 2GB string will fail at serialization time, but we can accept larger ones
291+
// in memory.
292+
if (k2.str.len > UINT32_MAX) {
293+
return 0;
294+
}
295+
290296
uint32_t len = (uint32_t)k2.str.len;
291-
char* str = upb_Arena_Malloc(a, k2.str.len + sizeof(uint32_t) + 1);
297+
char* str = upb_Arena_Malloc(a, sizeof(uint32_t) + len + 1);
292298
if (str == NULL) return 0;
293299
memcpy(str, &len, sizeof(uint32_t));
294-
if (k2.str.len) memcpy(str + sizeof(uint32_t), k2.str.str, k2.str.len);
295-
str[sizeof(uint32_t) + k2.str.len] = '\0';
300+
if (len) memcpy(str + sizeof(uint32_t), k2.str.str, len);
301+
str[sizeof(uint32_t) + len] = '\0';
296302
return (uintptr_t)str;
297303
}
298304

0 commit comments

Comments
 (0)