You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
parse: Fix addition overflow in add_consumed for chained extensions
The fuzzer found that chained extension headers (GNU long name/link,
PAX) with large declared sizes can cause an arithmetic overflow in
add_consumed() when the recursive parse_header calls unwind. Each
layer adds total_size (HEADER_SIZE + padded_size) to the consumed or
min_bytes field, and with Limits::permissive() allowing metadata up
to u32::MAX, two such additions can overflow usize.
Fix by using saturating_add instead of plain +. A saturated value
(usize::MAX) will always exceed the input length, so callers
correctly treat it as insufficient data.
Crash: parse.rs:413 panic_const_add_overflow in GlobalExtensions
variant, found by extended fuzzing on commit 518dcfb.
Assisted-by: OpenCode (Claude Opus)
0 commit comments