Merge pull request #3751 from softins/fix-issue-3747-crash

ann0see · web-flow · commit 6e3da2025fdd · 2026-06-24T20:07:37.000+02:00
Add bounds checking before indexing vecvecTempMemory
diff --git a/src/buffer.cpp b/src/buffer.cpp
@@ -64,11 +64,13 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo
         // extract all data from buffer in temporary storage
         CVector<CVector<uint8_t>> vecvecTempMemory = vecvecMemory; // allocate worst case memory by copying
 
+        int iTempSize = vecvecTempMemory.size(); // for bounds checking
+
         if ( !bNUseSequenceNumber )
         {
             int iPreviousDataCnt = 0;
 
-            while ( Get ( vecvecTempMemory[iPreviousDataCnt], iBlockSize ) )
+            while ( iPreviousDataCnt < iTempSize && Get ( vecvecTempMemory[iPreviousDataCnt], iBlockSize ) )
             {
                 iPreviousDataCnt++;
             }
@@ -80,6 +82,7 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo
             // data back as the new buffer size can hold)
             int iDataCnt = 0;
 
+            // iPreviousDataCnt will be at most iTempSize, so an additional check on iDataCnt is not needed
             while ( ( iDataCnt < iPreviousDataCnt ) && Put ( vecvecTempMemory[iDataCnt], iBlockSize ) )
             {
                 iDataCnt++;
@@ -94,13 +97,13 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo
             const int     iOldBlockGetPos            = iBlockGetPos;
             int           iCurBlockPos               = 0;
 
-            while ( iBlockGetPos < iNumBlocksMemory )
+            while ( iBlockGetPos < iNumBlocksMemory && iCurBlockPos < iTempSize )
             {
                 veciTempBlockValid[iCurBlockPos] = veciBlockValid[iBlockGetPos];
                 vecvecTempMemory[iCurBlockPos++] = vecvecMemory[iBlockGetPos++];
             }
 
-            for ( iBlockGetPos = 0; iBlockGetPos < iOldBlockGetPos; iBlockGetPos++ )
+            for ( iBlockGetPos = 0; iBlockGetPos < iOldBlockGetPos && iCurBlockPos < iTempSize; iBlockGetPos++ )
             {
                 veciTempBlockValid[iCurBlockPos] = veciBlockValid[iBlockGetPos];
                 vecvecTempMemory[iCurBlockPos++] = vecvecMemory[iBlockGetPos];
@@ -113,7 +116,7 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo
             iSequenceNumberAtGetPos = iOldSequenceNumberAtGetPos;
             iBlockGetPos            = 0; // per definition
 
-            for ( int iCurPos = 0; iCurPos < std::min ( iNewNumBlocks, iOldNumBlocksMemory ); iCurPos++ )
+            for ( int iCurPos = 0; iCurPos < std::min ( iNewNumBlocks, iOldNumBlocksMemory ) && iCurPos < iTempSize; iCurPos++ )
             {
                 veciBlockValid[iCurPos] = veciTempBlockValid[iCurPos];
                 vecvecMemory[iCurPos]   = vecvecTempMemory[iCurPos];

Original file line number	Diff line number	Diff line change
`@@ -64,11 +64,13 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo`
`64`	`64`	`// extract all data from buffer in temporary storage`
`65`	`65`	`CVector<CVector<uint8_t>> vecvecTempMemory = vecvecMemory; // allocate worst case memory by copying`
`66`	`66`
	`67`	`+ int iTempSize = vecvecTempMemory.size(); // for bounds checking`
	`68`	`+`
`67`	`69`	`if ( !bNUseSequenceNumber )`
`68`	`70`	`{`
`69`	`71`	`int iPreviousDataCnt = 0;`
`70`	`72`
`71`		`- while ( Get ( vecvecTempMemory[iPreviousDataCnt], iBlockSize ) )`
	`73`	`+ while ( iPreviousDataCnt < iTempSize && Get ( vecvecTempMemory[iPreviousDataCnt], iBlockSize ) )`
`72`	`74`	`{`
`73`	`75`	`iPreviousDataCnt++;`
`74`	`76`	`}`
`@@ -80,6 +82,7 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo`
`80`	`82`	`// data back as the new buffer size can hold)`
`81`	`83`	`int iDataCnt = 0;`
`82`	`84`
	`85`	`+ // iPreviousDataCnt will be at most iTempSize, so an additional check on iDataCnt is not needed`
`83`	`86`	`while ( ( iDataCnt < iPreviousDataCnt ) && Put ( vecvecTempMemory[iDataCnt], iBlockSize ) )`
`84`	`87`	`{`
`85`	`88`	`iDataCnt++;`
`@@ -94,13 +97,13 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo`
`94`	`97`	`const int iOldBlockGetPos = iBlockGetPos;`
`95`	`98`	`int iCurBlockPos = 0;`
`96`	`99`
`97`		`- while ( iBlockGetPos < iNumBlocksMemory )`
	`100`	`+ while ( iBlockGetPos < iNumBlocksMemory && iCurBlockPos < iTempSize )`
`98`	`101`	`{`
`99`	`102`	`veciTempBlockValid[iCurBlockPos] = veciBlockValid[iBlockGetPos];`
`100`	`103`	`vecvecTempMemory[iCurBlockPos++] = vecvecMemory[iBlockGetPos++];`
`101`	`104`	`}`
`102`	`105`
`103`		`- for ( iBlockGetPos = 0; iBlockGetPos < iOldBlockGetPos; iBlockGetPos++ )`
	`106`	`+ for ( iBlockGetPos = 0; iBlockGetPos < iOldBlockGetPos && iCurBlockPos < iTempSize; iBlockGetPos++ )`
`104`	`107`	`{`
`105`	`108`	`veciTempBlockValid[iCurBlockPos] = veciBlockValid[iBlockGetPos];`
`106`	`109`	`vecvecTempMemory[iCurBlockPos++] = vecvecMemory[iBlockGetPos];`
`@@ -113,7 +116,7 @@ void CNetBuf::Init ( const int iNewBlockSize, const int iNewNumBlocks, const boo`
`113`	`116`	`iSequenceNumberAtGetPos = iOldSequenceNumberAtGetPos;`
`114`	`117`	`iBlockGetPos = 0; // per definition`
`115`	`118`
`116`		`- for ( int iCurPos = 0; iCurPos < std::min ( iNewNumBlocks, iOldNumBlocksMemory ); iCurPos++ )`
	`119`	`+ for ( int iCurPos = 0; iCurPos < std::min ( iNewNumBlocks, iOldNumBlocksMemory ) && iCurPos < iTempSize; iCurPos++ )`
`117`	`120`	`{`
`118`	`121`	`veciBlockValid[iCurPos] = veciTempBlockValid[iCurPos];`
`119`	`122`	`vecvecMemory[iCurPos] = vecvecTempMemory[iCurPos];`