Merge pull request #550 from redboltz/fix_cpp_array_of

redboltz · web-flow · commit b4f2acb9456e · 2016-12-29T13:23:13.000+09:00
Fixed array and map size overflow.
diff --git a/include/msgpack/v1/unpack.hpp b/include/msgpack/v1/unpack.hpp
@@ -203,7 +203,11 @@ struct unpack_array {
         if (n > u.limit().array()) throw msgpack::array_size_overflow("array size overflow");
         o.type = msgpack::type::ARRAY;
         o.via.array.size = 0;
-        o.via.array.ptr = static_cast<msgpack::object*>(u.zone().allocate_align(n*sizeof(msgpack::object)));
+        size_t size = n*sizeof(msgpack::object);
+        if (size / sizeof(msgpack::object) != n) {
+            throw msgpack::array_size_overflow("array size overflow");
+        }
+        o.via.array.ptr = static_cast<msgpack::object*>(u.zone().allocate_align(size));
     }
 };
 
@@ -221,7 +225,11 @@ struct unpack_map {
         if (n > u.limit().map()) throw msgpack::map_size_overflow("map size overflow");
         o.type = msgpack::type::MAP;
         o.via.map.size = 0;
-        o.via.map.ptr = static_cast<msgpack::object_kv*>(u.zone().allocate_align(n*sizeof(msgpack::object_kv)));
+        size_t size = n*sizeof(msgpack::object_kv);
+        if (size / sizeof(msgpack::object_kv) != n) {
+            throw msgpack::map_size_overflow("map size overflow");
+        }
+        o.via.map.ptr = static_cast<msgpack::object_kv*>(u.zone().allocate_align(size));
     }
 };
 
diff --git a/include/msgpack/v2/unpack.hpp b/include/msgpack/v2/unpack.hpp
@@ -215,8 +215,12 @@ class create_object_visitor {
             obj->via.array.ptr = MSGPACK_NULLPTR;
         }
         else {
+            size_t size = num_elements*sizeof(msgpack::object);
+            if (size / sizeof(msgpack::object) != num_elements) {
+                throw msgpack::array_size_overflow("array size overflow");
+            }
             obj->via.array.ptr =
-                static_cast<msgpack::object*>(m_zone->allocate_align(num_elements*sizeof(msgpack::object)));
+                static_cast<msgpack::object*>(m_zone->allocate_align(size));
         }
         m_stack.push_back(obj->via.array.ptr);
         return true;
@@ -242,8 +246,12 @@ class create_object_visitor {
             obj->via.map.ptr = MSGPACK_NULLPTR;
         }
         else {
+            size_t size = num_kv_pairs*sizeof(msgpack::object_kv);
+            if (size / sizeof(msgpack::object_kv) != num_kv_pairs) {
+                throw msgpack::map_size_overflow("map size overflow");
+            }
             obj->via.map.ptr =
-                static_cast<msgpack::object_kv*>(m_zone->allocate_align(num_kv_pairs*sizeof(msgpack::object_kv)));
+                static_cast<msgpack::object_kv*>(m_zone->allocate_align(size));
         }
         m_stack.push_back(reinterpret_cast<msgpack::object*>(obj->via.map.ptr));
         return true;
