From f42d5399aac80d371b17d689851406669c9b9111 Mon Sep 17 00:00:00 2001 From: Alexander Alekhin Date: Thu, 7 Nov 2019 14:01:51 +0300 Subject: [PATCH] core(persistence): add more checks for implementation limitations --- modules/core/src/persistence_json.cpp | 8 ++++++++ modules/core/src/persistence_xml.cpp | 6 ++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/core/src/persistence_json.cpp b/modules/core/src/persistence_json.cpp index 89914e6534..2efdf17d3f 100644 --- a/modules/core/src/persistence_json.cpp +++ b/modules/core/src/persistence_json.cpp @@ -578,10 +578,14 @@ public: sz = (int)(ptr - beg); if( sz > 0 ) { + if (i + sz >= CV_FS_MAX_LEN) + CV_PARSE_ERROR_CPP("string is too long"); memcpy(buf + i, beg, sz); i += sz; } ptr++; + if (i + 1 >= CV_FS_MAX_LEN) + CV_PARSE_ERROR_CPP("string is too long"); switch ( *ptr ) { case '\\': @@ -605,6 +609,8 @@ public: sz = (int)(ptr - beg); if( sz > 0 ) { + if (i + sz >= CV_FS_MAX_LEN) + CV_PARSE_ERROR_CPP("string is too long"); memcpy(buf + i, beg, sz); i += sz; } @@ -620,6 +626,8 @@ public: sz = (int)(ptr - beg); if( sz > 0 ) { + if (i + sz >= CV_FS_MAX_LEN) + CV_PARSE_ERROR_CPP("string is too long"); memcpy(buf + i, beg, sz); i += sz; } diff --git a/modules/core/src/persistence_xml.cpp b/modules/core/src/persistence_xml.cpp index 89876dd3da..52b5374425 100644 --- a/modules/core/src/persistence_xml.cpp +++ b/modules/core/src/persistence_xml.cpp @@ -627,6 +627,8 @@ public: c = '\"'; else { + if (len + 2 + i >= CV_FS_MAX_LEN) + CV_PARSE_ERROR_CPP("string is too long"); memcpy( strbuf + i, ptr-1, len + 2 ); i += len + 2; } @@ -635,9 +637,9 @@ public: CV_PERSISTENCE_CHECK_END_OF_BUFFER_BUG_CPP(); } } + if (i + 1 >= CV_FS_MAX_LEN) + CV_PARSE_ERROR_CPP("Too long string literal"); strbuf[i++] = c; - if( i >= CV_FS_MAX_LEN ) - CV_PARSE_ERROR_CPP( "Too long string literal" ); } elem->setValue(FileNode::STRING, strbuf, i); }