Add varsize out of bounds checks

Author: tope99

runtime/ClangTidySuppressions.txt

@@ -74,8 +74,8 @@ cppcoreguidelines-pro-bounds-array-to-pointer-decay:src/zserio/ZserioTreeCreator
 
 # The following is filtered out because bounds are checked naturally by implementation. Therefore method 'at'
 # would only bring the performance drop.
-cppcoreguidelines-pro-bounds-constant-array-index:src/zserio/BitStreamReader.cpp:301
-cppcoreguidelines-pro-bounds-constant-array-index:src/zserio/BitStreamReader.cpp:315
+cppcoreguidelines-pro-bounds-constant-array-index:src/zserio/BitStreamReader.cpp:303
+cppcoreguidelines-pro-bounds-constant-array-index:src/zserio/BitStreamReader.cpp:317
 cppcoreguidelines-pro-bounds-constant-array-index:src/zserio/BitStreamWriter.cpp:351
 cppcoreguidelines-pro-bounds-constant-array-index:src/zserio/BitStreamWriter.cpp:362
 cppcoreguidelines-pro-bounds-constant-array-index:src/zserio/BitStreamWriter.cpp:373
@@ -114,6 +114,10 @@ cppcoreguidelines-pro-type-reinterpret-cast:src/zserio/ValidationSqliteUtil.h:10
 fuchsia-multiple-inheritance:src/zserio/IntrospectableView.h:881
 fuchsia-multiple-inheritance:src/zserio/ReflectableData.h:516
 
+# Strong type class wrapper should use implicit conversion
+google-explicit-constructor:src/zserio/BitStreamReader.h:22
+google-explicit-constructor:src/zserio/BitStreamReader.h:25
+
 # Optional follows std::optional so the ctors should be implicit.
 google-explicit-constructor:src/zserio/Optional.h:127
 google-explicit-constructor:src/zserio/Optional.h:137

runtime/src/zserio/BitStreamReader.cpp

@@ -6,6 +6,8 @@
 #include "zserio/FloatUtil.h"
 #include "zserio/RuntimeArch.h"
 
+const size_t ZSERIO_MAX_INITIAL_ARRAY_ALLOCATION = 128 * 1024 * 1024;
+
 namespace zserio
 {
 
@@ -355,11 +357,13 @@ inline uint64_t readUnsignedBits64Impl(ReaderContext& ctx, uint8_t numBits)
 
 } // namespace
 
-BitStreamReader::ReaderContext::ReaderContext(Span<const uint8_t> readBuffer, size_t readBufferBitSize) :
+BitStreamReader::ReaderContext::ReaderContext(
+        Span<const uint8_t> readBuffer, size_t readBufferBitSize, size_t maxArrayPrealloc) :
         buffer(readBuffer),
         bufferBitSize(readBufferBitSize),
         cache(0),
         cacheNumBits(0),
+        maxArrayPreallocation(maxArrayPrealloc),
         bitIndex(0)
 {
     if (buffer.size() > MAX_BUFFER_SIZE)
@@ -369,16 +373,18 @@ BitStreamReader::ReaderContext::ReaderContext(Span<const uint8_t> readBuffer, si
     }
 }
 
-BitStreamReader::BitStreamReader(const uint8_t* buffer, size_t bufferByteSize) :
-        BitStreamReader(Span<const uint8_t>(buffer, bufferByteSize))
+BitStreamReader::BitStreamReader(
+        const uint8_t* buffer, size_t bufferByteSize, ArrayAllocation maxArrayPrealloc) :
+        BitStreamReader(Span<const uint8_t>(buffer, bufferByteSize), maxArrayPrealloc)
 {}
 
-BitStreamReader::BitStreamReader(Span<const uint8_t> buffer) :
-        m_context(buffer, buffer.size() * 8)
+BitStreamReader::BitStreamReader(Span<const uint8_t> buffer, ArrayAllocation maxArrayPrealloc) :
+        m_context(buffer, buffer.size() * 8, maxArrayPrealloc)
 {}
 
-BitStreamReader::BitStreamReader(Span<const uint8_t> buffer, size_t bufferBitSize) :
-        m_context(buffer, bufferBitSize)
+BitStreamReader::BitStreamReader(
+        Span<const uint8_t> buffer, size_t bufferBitSize, ArrayAllocation maxArrayPrealloc) :
+        m_context(buffer, bufferBitSize, maxArrayPrealloc)
 {
     if (buffer.size() < (bufferBitSize + 7) / 8)
     {
@@ -387,8 +393,9 @@ BitStreamReader::BitStreamReader(Span<const uint8_t> buffer, size_t bufferBitSiz
     }
 }
 
-BitStreamReader::BitStreamReader(const uint8_t* buffer, size_t bufferBitSize, BitsTag) :
-        m_context(Span<const uint8_t>(buffer, (bufferBitSize + 7) / 8), bufferBitSize)
+BitStreamReader::BitStreamReader(
+        const uint8_t* buffer, size_t bufferBitSize, BitsTag, ArrayAllocation maxArrayPrealloc) :
+        m_context(Span<const uint8_t>(buffer, (bufferBitSize + 7) / 8), bufferBitSize, maxArrayPrealloc)
 {}
 
 uint32_t BitStreamReader::readUnsignedBits32(uint8_t numBits)

runtime/src/zserio/BitStreamReader.h

@@ -11,9 +11,26 @@
 #include "zserio/String.h"
 #include "zserio/Types.h"
 
+extern const size_t ZSERIO_MAX_INITIAL_ARRAY_ALLOCATION;
+
 namespace zserio
 {
 
+class ArrayAllocation
+{
+public:
+    ArrayAllocation(size_t alloc = ZSERIO_MAX_INITIAL_ARRAY_ALLOCATION) :
+            allocation(alloc)
+    {}
+    operator size_t() const
+    {
+        return allocation;
+    }
+
+private:
+    size_t allocation;
+};
+
 /**
  * Reader class which allows to read various data from the bit stream.
  */
@@ -34,7 +51,8 @@ class BitStreamReader
          * \param readBuffer Span to the buffer to read.
          * \param readBufferBitSize Size of the buffer in bits.
          */
-        explicit ReaderContext(Span<const uint8_t> readBuffer, size_t readBufferBitSize);
+        explicit ReaderContext(
+                Span<const uint8_t> readBuffer, size_t readBufferBitSize, size_t maxArrayPrealloc);
 
         /**
          * Destructor.
@@ -59,6 +77,7 @@ class BitStreamReader
 
         uintptr_t cache; /**< Bit cache to optimize bit reading. */
         uint8_t cacheNumBits; /**< Num bits available in the bit cache. */
+        const size_t maxArrayPreallocation; /**< Maximum initial array allocation. */
 
         BitPosType bitIndex; /**< Current bit index. */
     };
@@ -69,39 +88,42 @@ class BitStreamReader
      * \param buffer Pointer to the buffer to read.
      * \param bufferByteSize Size of the buffer in bytes.
      */
-    explicit BitStreamReader(const uint8_t* buffer, size_t bufferByteSize);
+    explicit BitStreamReader(
+            const uint8_t* buffer, size_t bufferByteSize, ArrayAllocation maxArrayPrealloc = {});
 
     /**
      * Constructor from buffer passed as a Span.
      *
      * \param buffer Buffer to read.
      */
-    explicit BitStreamReader(Span<const uint8_t> buffer);
+    explicit BitStreamReader(Span<const uint8_t> buffer, ArrayAllocation maxArrayPrealloc = {});
 
     /**
      * Constructor from buffer passed as a Span with exact bit size.
      *
      * \param buffer Buffer to read.
      * \param bufferBitSize Size of the buffer in bits.
      */
-    explicit BitStreamReader(Span<const uint8_t> buffer, size_t bufferBitSize);
+    explicit BitStreamReader(
+            Span<const uint8_t> buffer, size_t bufferBitSize, ArrayAllocation maxArrayPrealloc = {});
 
     /**
      * Constructor from raw buffer with exact bit size.
      *
      * \param buffer Pointer to buffer to read.
      * \param bufferBitSize Size of the buffer in bits.
      */
-    explicit BitStreamReader(const uint8_t* buffer, size_t bufferBitSize, BitsTag);
+    explicit BitStreamReader(
+            const uint8_t* buffer, size_t bufferBitSize, BitsTag, ArrayAllocation maxArrayPrealloc = {});
 
     /**
      * Constructor from bit buffer.
      *
      * \param bitBuffer Bit buffer to read from.
      */
     template <typename ALLOC>
-    explicit BitStreamReader(const BasicBitBuffer<ALLOC>& bitBuffer) :
-            BitStreamReader(bitBuffer.getData(), bitBuffer.getBitSize())
+    explicit BitStreamReader(const BasicBitBuffer<ALLOC>& bitBuffer, ArrayAllocation maxArrayPrealloc = {}) :
+            BitStreamReader(bitBuffer.getData(), bitBuffer.getBitSize(), maxArrayPrealloc)
     {}
 
     /**
@@ -248,6 +270,10 @@ class BitStreamReader
     {
         const size_t len = static_cast<size_t>(readVarSize());
         const BitPosType beginBitPosition = getBitPosition();
+        if (beginBitPosition + 8 * len > getBufferBitSize())
+        {
+            throw CppRuntimeException("BitStreamReader: byte array size exceeds available buffer!");
+        }
         if ((beginBitPosition & 0x07U) != 0)
         {
             // we are not aligned to byte
@@ -280,6 +306,10 @@ class BitStreamReader
     {
         const size_t len = static_cast<size_t>(readVarSize());
         const BitPosType beginBitPosition = getBitPosition();
+        if (beginBitPosition + 8 * len > getBufferBitSize())
+        {
+            throw CppRuntimeException("BitStreamReader: byte array size exceeds available buffer!");
+        }
         if ((beginBitPosition & 0x07U) != 0)
         {
             // we are not aligned to byte
@@ -313,11 +343,15 @@ class BitStreamReader
     BasicBitBuffer<RebindAlloc<ALLOC, uint8_t>> readBitBuffer(const ALLOC& allocator = ALLOC())
     {
         const size_t bitSize = static_cast<size_t>(readVarSize());
+        const BitPosType beginBitPosition = getBitPosition();
+        if (beginBitPosition + bitSize > getBufferBitSize())
+        {
+            throw CppRuntimeException("BitStreamReader: byte array size exceeds available buffer!");
+        }
         const size_t numBytesToRead = bitSize / 8;
         const uint8_t numRestBits = static_cast<uint8_t>(bitSize - numBytesToRead * 8);
         BasicBitBuffer<RebindAlloc<ALLOC, uint8_t>> bitBuffer(bitSize, allocator);
         Span<uint8_t> buffer = bitBuffer.getData();
-        const BitPosType beginBitPosition = getBitPosition();
         const Span<uint8_t>::iterator itEnd = buffer.begin() + numBytesToRead;
         if ((beginBitPosition & 0x07U) != 0)
         {
@@ -377,6 +411,16 @@ class BitStreamReader
         return m_context.bufferBitSize;
     }
 
+    /**
+     * Gets the maximum initial array capacity in bytes.
+     *
+     * \return max initial array capacity
+     */
+    size_t getMaxArrayPreallocation() const
+    {
+        return m_context.maxArrayPreallocation;
+    }
+
 private:
     uint8_t readByte();