From c3be764eb7f83d7d4788d5cbe2f7097b28e73b31 Mon Sep 17 00:00:00 2001 From: Georges Berenger Date: Wed, 20 Nov 2024 10:09:01 -0800 Subject: [PATCH] Fix possible crash when reading corrupt file Summary: As reported by lionhead, a corrupt vrs file could cause a crash. Adding a simple sanity check. Reviewed By: hanghu Differential Revision: D66209820 fbshipit-source-id: 6e1f61765244f7144d3e77e21e2ff1c6b249b298 --- vrs/ContentBlockReader.cpp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/vrs/ContentBlockReader.cpp b/vrs/ContentBlockReader.cpp index 6d83a988..0564007b 100644 --- a/vrs/ContentBlockReader.cpp +++ b/vrs/ContentBlockReader.cpp @@ -439,15 +439,23 @@ bool DataLayoutBlockReader::readBlock( // The size of the variable size buffer can be read from the var size index, so we read // the fixed size buffer first, extract the size of the var size data from the var size index, // so we can then read the var size buffer... + const size_t kMaxDataSize = 1024 * 1024 * 1024; // 1GB DataLayout& layout = *blockLayout_; vector& fixedData = layout.getFixedData(); - fixedData.resize(layout.getFixedDataSizeNeeded()); + size_t fixedDataSize = layout.getFixedDataSizeNeeded(); + if (!XR_VERIFY(fixedDataSize <= kMaxDataSize)) { + return false; + } + fixedData.resize(fixedDataSize); vector& varData = layout.getVarData(); int readBlockStatus = record.reader->read(fixedData); if (readBlockStatus == 0) { - size_t varLength = layout.getVarDataSizeFromIndex(); - varData.resize(varLength); - if (varLength > 0) { + size_t varDataSize = layout.getVarDataSizeFromIndex(); + if (!XR_VERIFY(varDataSize <= kMaxDataSize)) { + return false; + } + varData.resize(varDataSize); + if (varDataSize > 0) { readBlockStatus = record.reader->read(varData); } } else {