Add detection of bad sizes/lengths of deserialized containers

author Tomasz Swierczek <t.swierczek@samsung.com>

Thu, 14 Jun 2018 09:41:16 +0000 (11:41 +0200)

committer Tomasz Swierczek <t.swierczek@samsung.com>

Wed, 20 Jun 2018 09:09:12 +0000 (11:09 +0200)
author Tomasz Swierczek <t.swierczek@samsung.com>
Thu, 14 Jun 2018 09:41:16 +0000 (11:41 +0200)
committer Tomasz Swierczek <t.swierczek@samsung.com>
Wed, 20 Jun 2018 09:09:12 +0000 (11:09 +0200)
diff --git a/src/dpl/core/include/dpl/serialization.h b/src/dpl/core/include/dpl/serialization.h

index 7226c64..168f604 100644 (file)
--- a/src/dpl/core/include/dpl/serialization.h
+++ b/src/dpl/core/include/dpl/serialization.h
@@ -28,7 +28,16 @@
  #include <memory>
  #include <tuple>
  
+#include <dpl/exception.h>
+
  namespace SecurityManager {
+
+class SerializationException {
+public:
+    DECLARE_EXCEPTION_TYPE(SecurityManager::Exception, Base)
+    DECLARE_EXCEPTION_TYPE(Base, InvalidStreamData)
+};
+
  // Abstract data stream buffer
  class IStream
  {
@@ -341,6 +350,8 @@ struct Deserialization {
      {
          int length;
          stream.Read(sizeof(length), &length);
+        if (length < 0)
+            ThrowMsg(SerializationException::InvalidStreamData, "Invalid length of std::string (less than 0)");
          char * buf = new char[length + 1];
          std::unique_ptr<char[]> ptr(buf);
          stream.Read(length, buf);
@@ -351,6 +362,8 @@ struct Deserialization {
      {
          int length;
          stream.Read(sizeof(length), &length);
+        if (length < 0)
+            ThrowMsg(SerializationException::InvalidStreamData, "Invalid length of std::string (less than 0)");
          char * buf = new char[length + 1];
          std::unique_ptr<char[]> ptr(buf);
          stream.Read(length, buf);
@@ -366,6 +379,8 @@ struct Deserialization {
      {
          int length;
          stream.Read(sizeof(length), &length);
+        if (length < 0)
+            ThrowMsg(SerializationException::InvalidStreamData, "Invalid length of std::list (less than 0)");
          for (int i = 0; i < length; ++i) {
              T obj;
              Deserialize(stream, obj);
@@ -387,6 +402,8 @@ struct Deserialization {
      {
          int length;
          stream.Read(sizeof(length), &length);
+        if (length < 0)
+            ThrowMsg(SerializationException::InvalidStreamData, "Invalid length of std::vector (less than 0)");
          for (int i = 0; i < length; ++i) {
              T obj;
              Deserialize(stream, obj);
@@ -447,6 +464,8 @@ struct Deserialization {
      {
          int length;
          stream.Read(sizeof(length), &length);
+        if (length < 0)
+            ThrowMsg(SerializationException::InvalidStreamData, "Invalid size of std::map (less than 0)");
          for (int i = 0; i < length; ++i) {
              K key;
              T obj;
author	Tomasz Swierczek <t.swierczek@samsung.com>
	Thu, 14 Jun 2018 09:41:16 +0000 (11:41 +0200)
committer	Tomasz Swierczek <t.swierczek@samsung.com>
	Wed, 20 Jun 2018 09:09:12 +0000 (11:09 +0200)