Fix int overflow in parser

sylr · sylr · commit a57f9b564886 · 2025-02-25T18:15:52.000+01:00
A maliciously crafted message with a bogus body length could make the parser panic if the body length is close to the int limit. Fixes #678 Signed-off-by: Sylvain Rabot <sylvain@abstraction.fr>
diff --git a/parser.go b/parser.go
@@ -132,7 +132,10 @@ func (p *parser) jumpLength() (int, error) {
 		return length, err
 	}
 
-	if length <= 0 {
+	// Issue 678: if length approaches the int limit, it might overflow when
+	// adding offset and make it negative so we also need to check that
+	// offset+length is not negative.
+	if length <= 0 || offset+length <= 0 {
 		return length, errors.New("Invalid length")
 	}
 
diff --git a/parser_test.go b/parser_test.go
@@ -186,3 +186,14 @@ func (s *ParserSuite) TestReadMessageGrowBuffer() {
 		s.Equal(tc.expectedBufferLen, len(s.parser.buffer))
 	}
 }
+
+// https://github.com/quickfixgo/quickfix/issues/678
+func TestIssue678(t *testing.T) {
+	defer func() {
+		if err := recover(); err != nil {
+			t.Error(err)
+		}
+	}()
+	parser := newParser(strings.NewReader(string("8=\x019=119999999999999999999999999999999999999999999999999999999999970\x01")))
+	_, _ = parser.ReadMessage()
+}

Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,10 @@ func (p *parser) jumpLength() (int, error) {`
`132`	`132`	`return length, err`
`133`	`133`	`}`
`134`	`134`
`135`		`- if length <= 0 {`
	`135`	`+ // Issue 678: if length approaches the int limit, it might overflow when`
	`136`	`+ // adding offset and make it negative so we also need to check that`
	`137`	`+ // offset+length is not negative.`
	`138`	`+ if length <= 0 \|\| offset+length <= 0 {`
`136`	`139`	`return length, errors.New("Invalid length")`
`137`	`140`	`}`
`138`	`141`