rms/VictoriaMetrics
1
0
Fork 0
mirror of https://github.com/VictoriaMetrics/VictoriaMetrics.git synced 2026-05-17 00:26:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

lib/encoding: fix integer overflow in UnmarshalBytes (#10629)

Browse Source 
Poison varint: MaxUint64 encoded as varint (0xFFFFFFFFFFFFFFFF). 
The bounds check uint64(nSize)+n overflows to 9, bypassing the guard. 
Then int(MaxUint64)=-1 makes src[10:9] which panics.
This commit is contained in:
Max Kotliar
2026-03-11 12:42:49 +02:00
committed by GitHub
parent 5b4ab4456e
commit 82eab5c5b7
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/encoding/int.go
View File

@@ -517,7 +517,7 @@ func UnmarshalBytes(src []byte) ([]byte, int) {
if nSize <= 0 {
return nil, 0
}
if uint64(nSize)+n > uint64(len(src)) {
if n > uint64(len(src)-nSize) {
return nil, 0
}
start := nSize

8
lib/encoding/int_test.go
View File

@@ -295,6 +295,14 @@ func testMarshalUnmarshalVarUint64(t *testing.T, u uint64) {
}
}
func TestUnmarshalBytesOverflow(t *testing.T) {
poisonVarint := []byte{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01}
result, nSize := UnmarshalBytes(poisonVarint)
if nSize > 0 || result != nil {
t.Fatalf("expected error from overflow input, got nSize=%d result=%x", nSize, result)
}
}
func TestMarshalUnmarshalBytes(t *testing.T) {
testMarshalUnmarshalBytes(t, "")
testMarshalUnmarshalBytes(t, "x")