From: sleske <sleske@ffa7fe5e-494d-0410-b361-a75ebd5db220>
Date: Fri, 29 Jun 2012 18:28:24 +0000 (+0000)
Subject: Fix:maptool:Do not crash on invalid protobuf file.
X-Git-Tag: navit-0.5.0.5194svn~33
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=93a76430f5aca28f4388dc3ca4b64949d9116e7b;p=profile%2Fivi%2Fnavit.git

Fix:maptool:Do not crash on invalid protobuf file.

git-svn-id: https://navit.svn.sourceforge.net/svnroot/navit/trunk@5162 ffa7fe5e-494d-0410-b361-a75ebd5db220
---

diff --git a/navit/navit/maptool/osm_protobuf.c b/navit/navit/maptool/osm_protobuf.c
index 3d3ae69..30d34bb 100644
--- a/navit/navit/maptool/osm_protobuf.c
+++ b/navit/navit/maptool/osm_protobuf.c
@@ -32,16 +32,30 @@
 
 static double latlon_scale=10000000.0;
 
+/* Maximum length of a BlobHeader, see
+ * http://wiki.openstreetmap.org/wiki/PBF_Format */
+#define MAX_HEADER_LENGTH 1024 * 64
+/* Maximum length of a Blob */
+#define MAX_BLOB_LENGTH 1024 * 1024 * 32
+
+#define SANITY_CHECK_LENGTH(length, max_length) \
+	if (length > max_length){                                          \
+		fprintf(stderr,"Not a valid protobuf file. "               \
+			"Invalid block size in input: %d, max is %d. \n",  \
+				length, max_length);                       \
+		return NULL;                                                   \
+	}
+
 static OSMPBF__BlobHeader *
 read_header(FILE *f)
 {
 	unsigned char *buffer,lenb[4];
 	int len;
 
-	len=sizeof(lenb);
 	if (fread(lenb, 4, 1, f) != 1)
 		return NULL;
 	len=(lenb[0] << 24) | (lenb[1] << 16) | (lenb[2] << 8) | lenb[3];
+	SANITY_CHECK_LENGTH(len, MAX_HEADER_LENGTH)
 	buffer=alloca(len);
 	if (fread(buffer, len, 1, f) != 1)
 		return NULL;
@@ -54,7 +68,7 @@ read_blob(OSMPBF__BlobHeader *header, FILE *f)
 {
 	unsigned char *buffer;
 	int len=header->datasize;
-
+	SANITY_CHECK_LENGTH(len, MAX_BLOB_LENGTH)
 	buffer=alloca(len);
 	if (fread(buffer, len, 1, f) != 1)
 		return NULL;
@@ -356,7 +370,7 @@ map_collect_data_osm_protobuf(FILE *in, struct maptool_osm *osm)
 		} else if (!strcmp(header->type,"OSMData")) {
 			process_osmdata(blob, data, osm);
 		} else {
-			printf("unknown\n");
+			printf("skipping fileblock of unknown type '%s'\n", header->type);
 			return 0;
 		}
 		free(data);