Report format error for small application blocks

If the application block is smaller than 4 bytes, this is invalid (because the id is 4 bytes already), but we tried to read (length - 4) bytes anyway. This computation could overflow, so the library would try to read nearly 2^64 bytes (or 2^32 on 32-bit architectures), instead of a small number. Now a proper format error is returned. This issue was found using libfuzzer and cargo-fuzz.
ruuda · Feb 22, 2017 · c036944 · c036944
1 parent 4219df2
commit c036944
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/metadata.rs b/src/metadata.rs
@@ -261,6 +261,10 @@ fn read_padding_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<()> {
 }
 
 fn read_application_block<R: ReadBytes>(input: &mut R, length: u32) -> Result<(u32, Vec<u8>)> {
+    if length < 4 {
+        return fmt_err("application block length must be at least 4 bytes.")
+    }
+
     let id = try!(input.read_be_u32());
 
     // Four bytes of the block have been used for the ID, the rest is payload.