diff options
| author | stijn <stijn@ignitron.net> | 2023-11-08 13:43:28 +0100 |
|---|---|---|
| committer | Damien George <damien@micropython.org> | 2024-07-22 14:40:45 +1000 |
| commit | 444d7bacbec51321cea955802b62dff9318dcbf6 (patch) | |
| tree | 5d8b0205873fc9040ebfe71378b1f58775a49180 /extmod | |
| parent | 6db91dfefb1a7ba0026106d8f0c6589630e9a012 (diff) | |
extmod/moductypes: Validate the descriptor tuple.
Fixes various null dereferencing, out-of-bounds memory accesses and
`assert(0)` failures in the case of an invalid `uctypes` descriptor.
By design `uctypes` can crash because it accesses arbitrary memory, but at
least describing the descriptor layout should be forced to be correct and
not crash.
Fixes issue #12702.
Signed-off-by: stijn <stijn@ignitron.net>
Diffstat (limited to 'extmod')
| -rw-r--r-- | extmod/moductypes.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/extmod/moductypes.c b/extmod/moductypes.c index fa743eb63..00a69a275 100644 --- a/extmod/moductypes.c +++ b/extmod/moductypes.c @@ -143,6 +143,10 @@ static inline mp_uint_t uctypes_struct_scalar_size(int val_type) { // Get size of aggregate type descriptor static mp_uint_t uctypes_struct_agg_size(mp_obj_tuple_t *t, int layout_type, mp_uint_t *max_field_size) { + if (t->len == 0) { + syntax_error(); + } + mp_uint_t total_size = 0; mp_int_t offset_ = MP_OBJ_SMALL_INT_VALUE(t->items[0]); @@ -150,8 +154,15 @@ static mp_uint_t uctypes_struct_agg_size(mp_obj_tuple_t *t, int layout_type, mp_ switch (agg_type) { case STRUCT: + if (t->len != 2) { + syntax_error(); + } return uctypes_struct_size(t->items[1], layout_type, max_field_size); case PTR: + // Second field ignored, but should still be present for consistency. + if (t->len != 2) { + syntax_error(); + } if (sizeof(void *) > *max_field_size) { *max_field_size = sizeof(void *); } @@ -167,15 +178,17 @@ static mp_uint_t uctypes_struct_agg_size(mp_obj_tuple_t *t, int layout_type, mp_ if (item_s > *max_field_size) { *max_field_size = item_s; } - } else { + } else if (t->len == 3) { // Elements of array are aggregates item_s = uctypes_struct_size(t->items[2], layout_type, max_field_size); + } else { + syntax_error(); } return item_s * arr_sz; } default: - assert(0); + syntax_error(); } return total_size; |