msgpack: validate msgpack.decode() cdata size argument

Negative size led to an assertion. The commit adds a check if size is negative. Closes #4224

msgpack: validate msgpack.decode() cdata size argument
10873f16 · Vladislav Shpilevoy · Vladimir Davydov · 539aee3d · 10873f16 · 10873f16
Commit 10873f16 authored 5 years ago by Vladislav Shpilevoy Committed by Vladimir Davydov 5 years ago
--- a/src/lua/msgpack.c
+++ b/src/lua/msgpack.c
@@ -336,7 +336,11 @@ lua_msgpack_decode_cdata(lua_State *L, bool check)
 				  "a Lua string or 'char *' expected");
 	}
 	if (check) {
-		size_t data_len = luaL_checkinteger(L, 2);
+		ptrdiff_t data_len = luaL_checkinteger(L, 2);
+		if (data_len < 0) {
+			return luaL_error(L, "msgpack.decode: size can't be "\
+					  "negative");
+		}
 		const char *p = data;
 		if (mp_check(&p, data + data_len) != 0)
 			return luaL_error(L, "msgpack.decode: invalid MsgPack");

--- a/test/app/msgpack.result
+++ b/test/app/msgpack.result
@@ -244,3 +244,11 @@ size = msgpack.encode(100, buf)
 ---
 - 100
 ...
+--
+-- gh-4224: msgpack.decode(cdata, size) should check, that size
+-- is not negative.
+--
+msgpack.decode(ffi.cast('char *', '\x04\x05\x06'), -1)
+---
+- error: 'msgpack.decode: size can''t be negative'
+...
--- a/test/app/msgpack.test.lua
+++ b/test/app/msgpack.test.lua
@@ -78,3 +78,9 @@ buf:reset()
 size = msgpack.encode(100, buf)
 (msgpack.decode(ffi.cast('char *', buf.rpos), size))
 (msgpack.decode(ffi.cast('const char *', buf.rpos), size))
+
+--
+-- gh-4224: msgpack.decode(cdata, size) should check, that size
+-- is not negative.
+--
+msgpack.decode(ffi.cast('char *', '\x04\x05\x06'), -1)