From 519607a3c6b87b7f2fcffa1fbeec0a0e30958b37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=B0=B4=E8=8A=9D?= Date: Mon, 8 Jun 2026 20:39:19 +0800 Subject: [PATCH] fix(storage): add bounds validation in Footer::Parse to prevent heap OOB read MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Validate that length >= 20 bytes (8B magic + 8B metadata_length + 4B checksum minimum) and that metadata_string_length does not exceed the available buffer before constructing the metadata string or copying the checksum. Without these checks, a corrupted or truncated serialized file could cause a heap out-of-bounds read. Also removes unused string_buffer allocation (dead code). Signed-off-by: 水芝 Assisted-by: Claude:claude-opus-4-6 --- src/storage/serialization.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/storage/serialization.cpp b/src/storage/serialization.cpp index 11813b7dc6..c95bf0491a 100644 --- a/src/storage/serialization.cpp +++ b/src/storage/serialization.cpp @@ -80,9 +80,16 @@ Footer::Parse(StreamReader& reader) { } // no popseek, continue to parse + if (length < 20) { + reader.PopSeek(); + return nullptr; + } uint64_t metadata_string_length = 0; - std::vector string_buffer(length); memcpy(&metadata_string_length, meta_buffer.data() + 8, 8); + if (metadata_string_length > length - 20) { + reader.PopSeek(); + return nullptr; + } std::string metadata_string(meta_buffer.data() + 16, metadata_string_length); uint32_t checksum; memcpy(&checksum, meta_buffer.data() + 16 + metadata_string_length, 4);