Fix for #116 (#117)

* Add simple fuzzer and one failing test case

* Fix for #116

Author: stusmall

fuzz/.gitignore

@@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts

fuzz/Cargo.toml

@@ -0,0 +1,26 @@
+
+[package]
+name = "bson-fuzz"
+version = "0.0.1"
+authors = ["Automatically generated"]
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies.bson]
+path = ".."
+[dependencies.libfuzzer-sys]
+git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "fuzz_target_1"
+path = "fuzz_targets/fuzz_target_1.rs"
+
+[[bin]]
+name = "decode"
+path = "fuzz_targets/decode.rs"

fuzz/fuzz_targets/decode.rs

@@ -0,0 +1,10 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate bson;
+
+use bson::decode_document;
+use std::io::Cursor;
+
+fuzz_target!(|buf: &[u8]| {
+    let _ = decode_document(&mut Cursor::new(&buf[..]));
+});

src/decoder/mod.rs

@@ -39,6 +39,8 @@ use spec::{self, BinarySubtype};
 
 use serde::de::Deserialize;
 
+const MAX_BSON_SIZE: i32 = 16 * 1024 * 1024;
+
 fn read_string<R: Read + ?Sized>(reader: &mut R, utf8_lossy: bool) -> DecoderResult<String> {
     let len = reader.read_i32::<LittleEndian>()?;
 
@@ -170,6 +172,9 @@ fn decode_bson<R: Read + ?Sized>(reader: &mut R, tag: u8, utf8_lossy: bool) -> D
         Some(Array) => decode_array(reader, utf8_lossy).map(Bson::Array),
         Some(Binary) => {
             let len = read_i32(reader)?;
+            if len < 0 || len > MAX_BSON_SIZE {
+                return Err(DecoderError::InvalidLength(len as usize, format!("Invalid binary length of {}", len)));
+            }
             let subtype = BinarySubtype::from(reader.read_u8()?);
             let mut data = Vec::with_capacity(len as usize);
             reader.take(len as u64).read_to_end(&mut data)?;

tests/modules/encoder_decoder.rs

@@ -310,3 +310,10 @@ fn test_decode_multiply_overflows_issue64() {
 
     assert!(decode_document(&mut Cursor::new(&buffer[..])).is_err());
 }
+
+
+#[test]
+fn test_illegal_size(){
+    let buffer = [0x06, 0xcc, 0xf9, 0x0a, 0x05, 0x00, 0x00, 0x03, 0x00, 0xff, 0xff];
+    assert!(decode_document(&mut Cursor::new(&buffer[..])).is_err());
+}