From d8b7041d7e111a0dc8b80f13c1df2fd35d32387d Mon Sep 17 00:00:00 2001 From: Wouter van Oortmerssen Date: Tue, 14 Dec 2021 11:20:15 -0800 Subject: Added alignment checking to FlexBuffers verifier --- include/flatbuffers/flexbuffers.h | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'include') diff --git a/include/flatbuffers/flexbuffers.h b/include/flatbuffers/flexbuffers.h index b57e8ad2..89f3f308 100644 --- a/include/flatbuffers/flexbuffers.h +++ b/include/flatbuffers/flexbuffers.h @@ -1645,6 +1645,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS { // comes at the cost of using additional memory the same size of // the buffer being verified, so it is by default off. std::vector *reuse_tracker = nullptr, + bool _check_alignment = true, size_t max_depth = 64) : buf_(buf), size_(buf_len), @@ -1652,6 +1653,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS { max_depth_(max_depth), num_vectors_(0), max_vectors_(buf_len), + check_alignment_(_check_alignment), reuse_tracker_(reuse_tracker) { FLATBUFFERS_ASSERT(size_ < FLATBUFFERS_MAX_BUFFER_SIZE); if (reuse_tracker_) { @@ -1701,6 +1703,11 @@ class Verifier FLATBUFFERS_FINAL_CLASS { off <= static_cast(p - buf_); } + bool VerifyAlignment(const uint8_t *p, size_t size) const { + auto o = static_cast(p - buf_); + return Check((o & (size - 1)) == 0 || !check_alignment_); + } + // Macro, since we want to escape from parent function & use lazy args. #define FLEX_CHECK_VERIFIED(P, PACKED_TYPE) \ if (reuse_tracker_) { \ @@ -1795,6 +1802,8 @@ class Verifier FLATBUFFERS_FINAL_CLASS { if (!VerifyOffset(off, r.data_)) return false; auto p = r.Indirect(); + if (!VerifyAlignment(p, r.byte_width_)) + return false; switch (r.type_) { case FBT_INDIRECT_INT: case FBT_INDIRECT_UINT: @@ -1862,6 +1871,7 @@ class Verifier FLATBUFFERS_FINAL_CLASS { const size_t max_depth_; size_t num_vectors_; const size_t max_vectors_; + bool check_alignment_; std::vector *reuse_tracker_; }; -- cgit v1.2.3