diff options
author | Alan Antonuk <alan.antonuk@gmail.com> | 2023-03-12 15:09:35 +0000 |
---|---|---|
committer | Alan Antonuk <alan.antonuk@gmail.com> | 2023-03-12 11:19:31 -0400 |
commit | 72e6c63ae07ca800394d38bfe5c9238c9881f0b2 (patch) | |
tree | 88a8370b534dc76e8f4d2075cdee6a9533027288 | |
parent | 903b6b5c954057a9a9c35c075879dac145b2645e (diff) | |
download | rabbitmq-c-72e6c63ae07ca800394d38bfe5c9238c9881f0b2.tar.gz |
fix: recursion when decoding arrays.
This corrects what was done in 903b6b5 to correctly limit array
recursion in addition recursion within a table.
Fixes: https://crbug.com/oss-fuzz/56949
Signed-off-by: GitHub <noreply@github.com>
-rw-r--r-- | librabbitmq/amqp_table.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/librabbitmq/amqp_table.c b/librabbitmq/amqp_table.c index 6bfab5e..e900ab2 100644 --- a/librabbitmq/amqp_table.c +++ b/librabbitmq/amqp_table.c @@ -103,10 +103,6 @@ static int amqp_decode_table_internal(amqp_bytes_t encoded, amqp_pool_t *pool, size_t limit; int res; - if (depth > TABLE_DEPTH_LIMIT) { - return AMQP_STATUS_BAD_AMQP_DATA; - } - if (!amqp_decode_32(encoded, offset, &tablesize)) { return AMQP_STATUS_BAD_AMQP_DATA; } @@ -188,6 +184,10 @@ static int amqp_decode_field_value(amqp_bytes_t encoded, amqp_pool_t *pool, int depth) { int res = AMQP_STATUS_BAD_AMQP_DATA; + if (depth > TABLE_DEPTH_LIMIT) { + return AMQP_STATUS_BAD_AMQP_DATA; + } + if (!amqp_decode_8(encoded, offset, &entry->kind)) { goto out; } |