diff options
author | Lyuma <xn.lyuma@gmail.com> | 2022-06-27 19:02:42 -0700 |
---|---|---|
committer | Lyuma <xn.lyuma@gmail.com> | 2022-06-30 18:04:33 -0700 |
commit | 33fd7c63e1dd897da367322c4ab4e04ae2658750 (patch) | |
tree | 1ada6e10e7caace006617fe7e22c0d314bff00d5 /core | |
parent | b863c40356b4b95192d1a1e2718db7d7aced4235 (diff) |
Prevent out-of-bounds write in array conversion; avoid logspam on empty arrays.
Diffstat (limited to 'core')
-rw-r--r-- | core/templates/vector.h | 3 | ||||
-rw-r--r-- | core/variant/variant_call.cpp | 32 |
2 files changed, 27 insertions, 8 deletions
diff --git a/core/templates/vector.h b/core/templates/vector.h index 2ac7c7630a..f3f5ed76a7 100644 --- a/core/templates/vector.h +++ b/core/templates/vector.h @@ -145,6 +145,9 @@ public: Vector<uint8_t> to_byte_array() const { Vector<uint8_t> ret; + if (is_empty()) { + return ret; + } ret.resize(size() * sizeof(T)); memcpy(ret.ptrw(), ptr(), sizeof(T) * size()); return ret; diff --git a/core/variant/variant_call.cpp b/core/variant/variant_call.cpp index a4bb7630d6..c14de74af7 100644 --- a/core/variant/variant_call.cpp +++ b/core/variant/variant_call.cpp @@ -753,40 +753,56 @@ struct _VariantCall { static PackedInt32Array func_PackedByteArray_decode_s32_array(PackedByteArray *p_instance) { uint64_t size = p_instance->size(); PackedInt32Array dest; - ERR_FAIL_COND_V_MSG(size < sizeof(int32_t), dest, "Size didn't match array of size int32_t, maybe you are trying to convert to the wrong type?"); + if (size == 0) { + return dest; + } + ERR_FAIL_COND_V_MSG(size % sizeof(int32_t), dest, "PackedByteArray size must be a multiple of 4 (size of 32-bit integer) to convert to PackedInt32Array."); const uint8_t *r = p_instance->ptr(); dest.resize(size / sizeof(int32_t)); - memcpy(dest.ptrw(), r, size); + ERR_FAIL_COND_V(dest.size() == 0, dest); // Avoid UB in case resize failed. + memcpy(dest.ptrw(), r, dest.size() * sizeof(int32_t)); return dest; } static PackedInt64Array func_PackedByteArray_decode_s64_array(PackedByteArray *p_instance) { uint64_t size = p_instance->size(); PackedInt64Array dest; - ERR_FAIL_COND_V_MSG(size < sizeof(int64_t), dest, "Size didn't match array of size int64_t, maybe you are trying to convert to the wrong type?"); + if (size == 0) { + return dest; + } + ERR_FAIL_COND_V_MSG(size % sizeof(int64_t), dest, "PackedByteArray size must be a multiple of 8 (size of 64-bit integer) to convert to PackedInt64Array."); const uint8_t *r = p_instance->ptr(); dest.resize(size / sizeof(int64_t)); - memcpy(dest.ptrw(), r, size); + ERR_FAIL_COND_V(dest.size() == 0, dest); // Avoid UB in case resize failed. + memcpy(dest.ptrw(), r, dest.size() * sizeof(int64_t)); return dest; } static PackedFloat32Array func_PackedByteArray_decode_float_array(PackedByteArray *p_instance) { uint64_t size = p_instance->size(); PackedFloat32Array dest; - ERR_FAIL_COND_V_MSG(size < sizeof(float), dest, "Size didn't match array of size float, maybe you are trying to convert to the wrong type?"); + if (size == 0) { + return dest; + } + ERR_FAIL_COND_V_MSG(size % sizeof(float), dest, "PackedByteArray size must be a multiple of 4 (size of 32-bit float) to convert to PackedFloat32Array."); const uint8_t *r = p_instance->ptr(); dest.resize(size / sizeof(float)); - memcpy(dest.ptrw(), r, size); + ERR_FAIL_COND_V(dest.size() == 0, dest); // Avoid UB in case resize failed. + memcpy(dest.ptrw(), r, dest.size() * sizeof(float)); return dest; } static PackedFloat64Array func_PackedByteArray_decode_double_array(PackedByteArray *p_instance) { uint64_t size = p_instance->size(); PackedFloat64Array dest; - ERR_FAIL_COND_V_MSG(size < sizeof(double), dest, "Size didn't match array of size double, maybe you are trying to convert to the wrong type?"); + if (size == 0) { + return dest; + } + ERR_FAIL_COND_V_MSG(size % sizeof(double), dest, "PackedByteArray size must be a multiple of 8 (size of 64-bit double) to convert to PackedFloat64Array."); const uint8_t *r = p_instance->ptr(); dest.resize(size / sizeof(double)); - memcpy(dest.ptrw(), r, size); + ERR_FAIL_COND_V(dest.size() == 0, dest); // Avoid UB in case resize failed. + memcpy(dest.ptrw(), r, dest.size() * sizeof(double)); return dest; } |