Skip to content

Commit

Permalink
Fix messagepack EXT parsing
Browse files Browse the repository at this point in the history 
When we read `ext` we actually do not get any object, so we MUST NOT
insert `parser->cur_obj` multiple times, as we will have use-after-free
on unref. This is a serious bug.

Issue: #303
Closes: #303
  • Loading branch information
@vstakhov
vstakhov committed Apr 25, 2024
1 parent 084de92 commit 047b02b
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions src/ucl_msgpack.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1146,9 +1146,14 @@ ucl_msgpack_consume (struct ucl_parser *parser)


/* Insert value to the container and check if we have finished array */
if (!ucl_msgpack_insert_object (parser, NULL, 0,
if (parser->cur_obj) {
if (!ucl_msgpack_insert_object(parser, NULL, 0,
parser->cur_obj)) {
return false;
return false;
}
}
else {
/* We have parsed ext, ignore it */
}

if (ucl_msgpack_is_container_finished (container)) {
Expand Down Expand Up @@ -1634,5 +1639,7 @@ ucl_msgpack_parse_ignore (struct ucl_parser *parser,
return -1;
}

parser->cur_obj = NULL;

return len;
}

0 comments on commit 047b02b

Please sign in to comment.