Skip to content

Out-of-bounds memory access in memcpy_downward when in_use sizes exceed buffer sizes #9162

Description

@paulquiring

The current implementation of

void memcpy_downward(uint8_t* old_p, size_t old_size, uint8_t* new_p,

performs no out-of-bounds checks. Without bounds checks writes past buffer boundaries are possible which can lead to memory corruption.

Adding the following asserts will protect against misuse.

void memcpy_downward(uint8_t* old_p, size_t old_size, uint8_t* new_p,
                      size_t new_size, size_t in_use_back, size_t in_use_front) {
     FLATBUFFERS_ASSERT(in_use_back <= old_size);
     FLATBUFFERS_ASSERT(in_use_back <= new_size);
     memcpy(new_p + new_size - in_use_back, old_p + old_size - in_use_back,
         in_use_back);
     FLATBUFFERS_ASSERT(in_use_front <= old_size);
     FLATBUFFERS_ASSERT(in_use_front <= new_size);
     memcpy(new_p, old_p, in_use_front);
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions