integer overflow in size-prefixed verifier bounds check#9043
Open
jmestwa-coder wants to merge 1 commit intogoogle:masterfrom
Open
integer overflow in size-prefixed verifier bounds check#9043jmestwa-coder wants to merge 1 commit intogoogle:masterfrom
jmestwa-coder wants to merge 1 commit intogoogle:masterfrom
Conversation
jmestwa-coder
force-pushed
the
verifier-size-prefix-overflow
branch
from
79dafe3 to
68e7847
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes an integer overflow risk in the size-prefixed verifier bounds check that could allow malformed buffers to bypass validation.
Problem
The previous check:
ReadScalar(buf_) + sizeof(SizeT) <= size_
performs unsigned arithmetic that can overflow for crafted large prefix values.This wraparound may cause invalid size-prefixed buffers to incorrectly pass verification.
Fix
Replaces the overflow-prone addition with a safe comparison against the remaining buffer size:
prefixed_size <= (size_ - sizeof(SizeT))
Preserves original validation logic
Eliminates overflow possibility
Ensures fail-closed behaviour for malformed inputs
Test
Added a targeted regression case in offset64_test.cpp:
Tampered buffer with maximum prefix value
Verifies that malformed input is correctly rejected
Uses assert = false locally to avoid aborts in debug verification builds
Impact
No change to valid input behavior
No API or design changes
Affects only malformed/overflow cases
Minimal, two-file patch
Validation
Built successfully with CMake
All tests passed (flattests, flattests_cpp17)
Verified under strict compiler flags and assertion-enabled mode
No new warnings or platform-specific issues