Skip to content

Commit 6079cd9

Browse files
giuseppegiuseppe
committed
sources.py: check for numeric type
fix a crash with a malformed input such as: ... "additionalGids": [ 0, 1, 2, 3, { } ... Found with honggfuzz. Signed-off-by: Giuseppe Scrivano <[email protected]>
1 parent 45ad52b commit 6079cd9

File tree

1 file changed

+28
-4
lines changed

1 file changed

+28
-4
lines changed

src/sources.py

+28-4
Original file line numberDiff line numberDiff line change
@@ -807,13 +807,31 @@ def read_val_generator(c_file, level, src, dest, typ, keyname, obj_typename):
807807
c_file.write('%s {\n' % (' ' * (level)))
808808
if typ.startswith("uint") or \
809809
(typ.startswith("int") and typ != "integer") or typ == "double":
810-
c_file.write('%sint invalid = common_safe_%s (YAJL_GET_NUMBER (val), &%s);\n' \
810+
c_file.write('%sint invalid;\n' % (' ' * (level + 1)))
811+
c_file.write('%sif (! YAJL_IS_NUMBER (val))\n' % (' ' * (level + 1)))
812+
c_file.write('%s {\n' % (' ' * (level + 1)))
813+
c_file.write('%s *err = strdup ("invalid type");\n' % (' ' * (level + 1)))
814+
c_file.write('%s return NULL;\n' % (' ' * (level + 1)))
815+
c_file.write('%s }\n' % (' ' * (level + 1)))
816+
c_file.write('%sinvalid = common_safe_%s (YAJL_GET_NUMBER (val), &%s);\n' \
811817
% (' ' * (level + 1), typ, dest))
812818
elif typ == "integer":
813-
c_file.write('%sint invalid = common_safe_int (YAJL_GET_NUMBER (val), (int *)&%s);\n' \
819+
c_file.write('%sint invalid;\n' % (' ' * (level + 1)))
820+
c_file.write('%sif (! YAJL_IS_NUMBER (val))\n' % (' ' * (level + 1)))
821+
c_file.write('%s {\n' % (' ' * (level + 1)))
822+
c_file.write('%s *err = strdup ("invalid type");\n' % (' ' * (level + 1)))
823+
c_file.write('%s return NULL;\n' % (' ' * (level + 1)))
824+
c_file.write('%s }\n' % (' ' * (level + 1)))
825+
c_file.write('%sinvalid = common_safe_int (YAJL_GET_NUMBER (val), (int *)&%s);\n' \
814826
% (' ' * (level + 1), dest))
815827
elif typ == "UID" or typ == "GID":
816-
c_file.write('%sint invalid = common_safe_uint (YAJL_GET_NUMBER (val),' \
828+
c_file.write('%sint invalid;\n' % (' ' * (level + 1)))
829+
c_file.write('%sif (! YAJL_IS_NUMBER (val))\n' % (' ' * (level + 1)))
830+
c_file.write('%s {\n' % (' ' * (level + 1)))
831+
c_file.write('%s *err = strdup ("invalid type");\n' % (' ' * (level + 1)))
832+
c_file.write('%s return NULL;\n' % (' ' * (level + 1)))
833+
c_file.write('%s }\n' % (' ' * (level + 1)))
834+
c_file.write('%sinvalid = common_safe_uint (YAJL_GET_NUMBER (val),' \
817835
' (unsigned int *)&%s);\n' % (' ' * (level + 1), dest))
818836
c_file.write('%sif (invalid)\n' % (' ' * (level + 1)))
819837
c_file.write('%s {\n' % (' ' * (level + 1)))
@@ -838,7 +856,13 @@ def read_val_generator(c_file, level, src, dest, typ, keyname, obj_typename):
838856
(' ' * (level + 1), dest, helpers.get_map_c_types(num_type)))
839857
c_file.write('%sif (%s == NULL)\n' % (' ' * (level + 1), dest))
840858
c_file.write('%s return NULL;\n' % (' ' * (level + 1)))
841-
c_file.write('%sint invalid = common_safe_%s (YAJL_GET_NUMBER (val), %s);\n' \
859+
c_file.write('%sint invalid;\n' % (' ' * (level + 1)))
860+
c_file.write('%sif (! YAJL_IS_NUMBER (val))\n' % (' ' * (level + 1)))
861+
c_file.write('%s {\n' % (' ' * (level + 1)))
862+
c_file.write('%s *err = strdup ("invalid type");\n' % (' ' * (level + 1)))
863+
c_file.write('%s return NULL;\n' % (' ' * (level + 1)))
864+
c_file.write('%s}\n' % (' ' * (level + 1)))
865+
c_file.write('%sinvalid = common_safe_%s (YAJL_GET_NUMBER (val), %s);\n' \
842866
% (' ' * (level + 1), num_type, dest))
843867
c_file.write('%sif (invalid)\n' % (' ' * (level + 1)))
844868
c_file.write('%s {\n' % (' ' * (level + 1)))

0 commit comments

Comments
 (0)