diff options
author | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-05-23 17:43:45 +0700 |
---|---|---|
committer | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-05-23 18:00:53 +0700 |
commit | 0614e9333fb5072640ba9939a28ffc1588cfe5bd (patch) | |
tree | 2794ff9bf6c1ed9b9a15a8ac6d7d68d70969e04f /src | |
parent | fac833264952aee68acfaf8676fe86159517ef50 (diff) |
csn1: fix csnStreamEncoder(): always check the choice index
It's so easy to pick an out of bounds value otherwise...
Change-Id: I12f5ab739b97f1f3b5d4bed1b5a4a661c879e89f
Diffstat (limited to 'src')
-rw-r--r-- | src/csn1.c | 10 |
1 files changed, 6 insertions, 4 deletions
@@ -1803,7 +1803,6 @@ gint16 csnStreamEncoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec case CSN_CHOICE: { gint16 count = pDescr->i; - guint8 i = 0; const CSN_ChoiceElement_t* pChoice = (const CSN_ChoiceElement_t*) pDescr->descr.ptr; /* Make sure that the list of choice items is not empty */ @@ -1812,9 +1811,12 @@ gint16 csnStreamEncoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec else if (count > 255) /* We can handle up to 256 (UCHAR_MAX) selectors */ return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_IN_SCRIPT, pDescr); - pui8 = pui8DATA(data, pDescr->offset); - i = *pui8; - pChoice += i; + /* Make sure that choice index is not out of range */ + pui8 = pui8DATA(data, pDescr->offset); + if (*pui8 >= count) + return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_INVALID_UNION_INDEX, pDescr); + + pChoice += *pui8; guint8 no_of_bits = pChoice->bits; guint8 value = pChoice->value; LOGPC(DCSN1, LOGL_DEBUG, "%s = %u | ", pChoice->descr.sz , (unsigned)value); |