fix limit on map max size; test array/map max size
diff --git a/src/qcbor_decode.c b/src/qcbor_decode.c
index 646c0d4..0107a5b 100644
--- a/src/qcbor_decode.c
+++ b/src/qcbor_decode.c
@@ -461,8 +461,8 @@
static QCBORError
DecodeNesting_DescendMapOrArray(QCBORDecodeNesting *pNesting,
- uint8_t uQCBORType,
- uint64_t uCount)
+ const uint8_t uQCBORType,
+ const uint16_t uCount)
{
QCBORError uError = QCBOR_SUCCESS;
@@ -474,21 +474,16 @@
/* Empty indefinite-length maps and arrays are handled elsewhere */
}
- /* Error out if arrays is too long to handle */
- if(uCount != QCBOR_COUNT_INDICATES_INDEFINITE_LENGTH &&
- uCount > QCBOR_MAX_ITEMS_IN_ARRAY) {
- uError = QCBOR_ERR_ARRAY_DECODE_TOO_LONG;
- goto Done;
- }
+ /* Rely on check in QCBOR_Private_DecodeArrayOrMap() for definite-length
+ * arrays and maps that are too long */
uError = DecodeNesting_Descend(pNesting, uQCBORType);
if(uError != QCBOR_SUCCESS) {
goto Done;
}
- /* Fill in the new map/array level. Check above makes casts OK. */
- pNesting->pCurrent->u.ma.uCountCursor = (uint16_t)uCount;
- pNesting->pCurrent->u.ma.uCountTotal = (uint16_t)uCount;
+ pNesting->pCurrent->u.ma.uCountCursor = uCount;
+ pNesting->pCurrent->u.ma.uCountTotal = uCount;
DecodeNesting_ClearBoundedMode(pNesting);
@@ -1042,7 +1037,7 @@
static QCBORError
QCBOR_Private_DecodeArrayOrMap(const uint8_t uMode,
const int nMajorType,
- const uint64_t uItemCount,
+ uint64_t uItemCount,
const int nAdditionalInfo,
QCBORItem *pDecodedItem)
{
@@ -1075,29 +1070,20 @@
uReturn = QCBOR_ERR_INDEF_LEN_ARRAYS_DISABLED;
#endif /* ! QCBOR_DISABLE_INDEFINITE_LENGTH_ARRAYS */
} else {
+ /* ----- Definite-length array/map ----- */
+ if(uItemCount > (nMajorType == QCBOR_TYPE_MAP ? QCBOR_MAX_ITEMS_IN_MAP : QCBOR_MAX_ITEMS_IN_ARRAY)) {
+ uReturn = QCBOR_ERR_ARRAY_DECODE_TOO_LONG;
+ }
#ifndef QCBOR_DISABLE_NON_INTEGER_LABELS
if(uMode == QCBOR_DECODE_MODE_MAP_AS_ARRAY && nMajorType == QCBOR_TYPE_MAP) {
- /* ------ Definite-length map as array ------ */
-
- if(uItemCount > QCBOR_MAX_ITEMS_IN_ARRAY/2) {
- uReturn = QCBOR_ERR_ARRAY_DECODE_TOO_LONG;
- } else {
- /* cast OK because of check above */
- pDecodedItem->val.uCount = (uint16_t)uItemCount*2;
- }
-
- } else
-#endif /* ! QCBOR_DISABLE_NON_INTEGER_LABELS */
- {
- /* ------ Definite-length array/map ------ */
- if(uItemCount > QCBOR_MAX_ITEMS_IN_ARRAY) {
- uReturn = QCBOR_ERR_ARRAY_DECODE_TOO_LONG;
- } else {
- /* cast OK because of check above */
- pDecodedItem->val.uCount = (uint16_t)uItemCount;
- }
+ /* ------ Map as array ------ */
+ uItemCount *= 2;
}
+#endif /* ! QCBOR_DISABLE_NON_INTEGER_LABELS */
+
+ /* cast OK because of check above */
+ pDecodedItem->val.uCount = (uint16_t)uItemCount;
}
return uReturn;
@@ -2081,8 +2067,8 @@
*/
QCBORError uDescendErr;
uDescendErr = DecodeNesting_DescendMapOrArray(&(pMe->nesting),
- pDecodedItem->uDataType,
- pDecodedItem->val.uCount);
+ pDecodedItem->uDataType,
+ pDecodedItem->val.uCount);
if(uDescendErr != QCBOR_SUCCESS) {
/* This error is probably a traversal error and it overrides
* the non-traversal error.
diff --git a/src/qcbor_encode.c b/src/qcbor_encode.c
index aa0b991..7657303 100644
--- a/src/qcbor_encode.c
+++ b/src/qcbor_encode.c
@@ -223,7 +223,7 @@
*
* QCBOR_DISABLE_ENCODE_USAGE_GUARDS also disables the check for more
* than QCBOR_MAX_ITEMS_IN_ARRAY in an array. Since
- * QCBOR_MAX_ITEMS_IN_ARRAY is very large (65,535) it is very unlikely
+ * QCBOR_MAX_ITEMS_IN_ARRAY is very large (65,534) it is very unlikely
* to be reached. If it is reached, the count will wrap around to zero
* and CBOR that is not well formed will be produced, but there will
* be no buffers overrun and new security issues in the code.
diff --git a/test/qcbor_decode_tests.c b/test/qcbor_decode_tests.c
index 7434f0d..aa52c53 100644
--- a/test/qcbor_decode_tests.c
+++ b/test/qcbor_decode_tests.c
@@ -2297,9 +2297,61 @@
}
+/* These are just the item that open large maps and arrays, not
+ * the items in the array. This is sufficient to test the
+ * boundary condition. */
+static const uint8_t spLargeArrayFake[] = {
+ 0x99, 0xff, 0xfe};
+
+static const uint8_t spTooLargeArrayFake[] = {
+ 0x99, 0xff, 0xff};
+
+static const uint8_t spLargeMapFake[] = {
+ 0xb9, 0x7f, 0xff};
+
+static const uint8_t spTooLargeMapFake[] = {
+ 0xba, 0x00, 0x01, 0x00, 0x00};
+
int32_t ParseMapTest(void)
{
+ QCBORDecodeContext DCtx;
+ QCBORItem Item;
+ QCBORError uErr;
+
+ QCBORDecode_Init(&DCtx,
+ UsefulBuf_FROM_BYTE_ARRAY_LITERAL(spLargeArrayFake),
+ QCBOR_DECODE_MODE_NORMAL);
+ uErr = QCBORDecode_GetNext(&DCtx, &Item);
+ if(uErr != QCBOR_SUCCESS || Item.val.uCount != QCBOR_MAX_ITEMS_IN_ARRAY) {
+ return -100;
+ }
+
+ QCBORDecode_Init(&DCtx,
+ UsefulBuf_FROM_BYTE_ARRAY_LITERAL(spTooLargeArrayFake),
+ QCBOR_DECODE_MODE_NORMAL);
+ uErr = QCBORDecode_GetNext(&DCtx, &Item);
+ if(uErr != QCBOR_ERR_ARRAY_DECODE_TOO_LONG) {
+ return -101;
+ }
+
+ QCBORDecode_Init(&DCtx,
+ UsefulBuf_FROM_BYTE_ARRAY_LITERAL(spLargeMapFake),
+ QCBOR_DECODE_MODE_NORMAL);
+ uErr = QCBORDecode_GetNext(&DCtx, &Item);
+ if(uErr != QCBOR_SUCCESS || Item.val.uCount != QCBOR_MAX_ITEMS_IN_MAP) {
+ return -110;
+ }
+
+ QCBORDecode_Init(&DCtx,
+ UsefulBuf_FROM_BYTE_ARRAY_LITERAL(spTooLargeMapFake),
+ QCBOR_DECODE_MODE_NORMAL);
+ uErr = QCBORDecode_GetNext(&DCtx, &Item);
+ if(uErr != QCBOR_ERR_ARRAY_DECODE_TOO_LONG) {
+ return -111;
+ }
+
+
// Parse a moderatly complex map structure very thoroughly
int32_t nResult = ParseMapTest1(QCBOR_DECODE_MODE_NORMAL);
if(nResult) {
diff --git a/test/qcbor_encode_tests.c b/test/qcbor_encode_tests.c
index ab2ed90..1539023 100644
--- a/test/qcbor_encode_tests.c
+++ b/test/qcbor_encode_tests.c
@@ -2779,6 +2779,19 @@
if(QCBOREncode_GetErrorState(&EC) != QCBOR_ERR_ARRAY_TOO_LONG) {
return 251;
}
+
+ QCBOREncode_Init(&EC, Large);
+ QCBOREncode_OpenMap(&EC);
+ for(i = 0; i < QCBOR_MAX_ITEMS_IN_MAP; i++) {
+ QCBOREncode_AddInt64ToMapN(&EC, 0,0);
+ }
+ if(QCBOREncode_GetErrorState(&EC)) {
+ return 250;
+ }
+ QCBOREncode_AddInt64ToMapN(&EC, 0,0);
+ if(QCBOREncode_GetErrorState(&EC) != QCBOR_ERR_ARRAY_TOO_LONG) {
+ return 251;
+ }
#endif /* ! QCBOR_DISABLE_ENCODE_USAGE_GUARDS */
return 0;