Check that value offset does not extend pass end of message

int08h · Mar 24, 2018 · 9656fda · 9656fda
1 parent abc7f8b
commit 9656fda
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/src/error.rs b/src/error.rs
@@ -25,6 +25,12 @@ pub enum Error {
     /// The associated byte sequence does not correspond to a valid Roughtime tag.
     InvalidTag(Box<[u8]>),
 
+    /// Invalid number of tags specified
+    InvalidNumTags(u32),
+
+    /// Tag value length exceeds length of source bytes
+    InvalidValueLength(Tag, u32),
+
     /// Encoding failed. The associated `std::io::Error` should provide more information.
     EncodingFailure(std::io::Error),
 
@@ -37,9 +43,6 @@ pub enum Error {
     /// Offset is outside of valid message range
     InvalidOffsetValue(u32),
 
-    /// Invalid number of tags specified 
-    InvalidNumTags(u32),
-
     /// Could not convert bytes to message because bytes were too short
     MessageTooShort,
 

diff --git a/src/message.rs b/src/message.rs
@@ -112,14 +112,19 @@ impl RtMessage {
         // as an offset from the end of the header
         let msg_end = bytes.len() - header_end;
 
-        assert_eq!(offsets.len(), tags.len() - 1);
-
         for (tag, (value_start, value_end)) in tags.into_iter().zip(
             once(&0)
                 .chain(offsets.iter())
-                .zip(offsets.iter().chain(once(&msg_end))),
+                .zip(offsets.iter().chain(once(&msg_end)))
         ) {
-            let value = bytes[(header_end + value_start)..(header_end + value_end)].to_vec();
+            let start_idx = header_end + value_start;
+            let end_idx = header_end + value_end;
+
+            if end_idx > msg_end || start_idx > end_idx {
+                return Err(Error::InvalidValueLength(tag, end_idx as u32));
+            }
+
+            let value = bytes[start_idx..end_idx].to_vec();
             rt_msg.add_field(tag, &value)?;
         }