[io] More checks to the buffer properties of TKey and TBuffer

thanks to @manop55555

Author: dpiparo

io/io/src/TKey.cxx

@@ -80,6 +80,18 @@ const UChar_t kPidOffsetShift = 48;
 const static TString gTDirectoryString("TDirectory");
 std::atomic<UInt_t> keyAbsNumber{0};
 
+namespace ROOT::Internal {
+int CheckKeyObjLenOverflow(const char *methodName, int keyLen, int objLen)
+{
+   constexpr auto maxInt_t = std::numeric_limits<Int_t>::max();
+   if (keyLen > (maxInt_t - objLen)) {
+      Error(methodName, "fObjlen (%d) + fKeylen (%d) > max int (%d): cannot continue to read the key buffer.", objLen,
+            keyLen, maxInt_t);
+      return 1;
+   }
+   return 0;
+}
+} // namespace ROOT::Internal
 
 ////////////////////////////////////////////////////////////////////////////////
 /// TKey default constructor.
@@ -1246,9 +1258,9 @@ void TKey::ReadKeyBuffer(char *&buffer)
       return;
    }
 
-   constexpr auto maxInt_t = std::numeric_limits<Int_t>::max();
-   if (fKeylen > (maxInt_t - fObjlen)) {
-      Error("ReadKeyBuffer", "fObjlen (%d) + fKeylen (%d) > max int (%d): cannot continue to read the key buffer.", fObjlen, fKeylen, maxInt_t);
+   if(0 != ROOT::Internal::CheckKeyObjLenOverflow("ReadKeyBuffer", fKeylen, fObjlen)){
+      fKeylen = 0;
+      fObjlen = 0;
       MakeZombie();
       return;
    }
@@ -1424,6 +1436,10 @@ void TKey::Streamer(TBuffer &b)
          MakeZombie();
          fNbytes = 0;
       }
+      if (0 != ROOT::Internal::CheckKeyObjLenOverflow("Streamer", fKeylen, fObjlen)) {
+         MakeZombie();
+         return;
+      }
 
    } else {
       b << fNbytes;

tree/tree/src/TBasket.cxx

@@ -9,6 +9,7 @@
  *************************************************************************/
 
 #include <chrono>
+#include <limits>
 
 #include "TBasket.h"
 #include "TBuffer.h"
@@ -31,6 +32,7 @@
 const UInt_t kDisplacementMask = 0xFF000000;  // In the streamer the two highest bytes of
                                               // the fEntryOffset are used to stored displacement.
 
+constexpr auto gMaxInt_t = std::numeric_limits<Int_t>::max();
 
 /** \class TBasket
 \ingroup tree
@@ -575,6 +577,31 @@ Int_t TBasket::ReadBasketBuffers(Long64_t pos, Int_t len, TFile *file)
          memcpy(rawCompressedBuffer, fBufferRef->Buffer(), len);
       }
    }
+   // Sanitize nbytes and lengths
+   if (fKeylen < 0) {
+      Error("ReadBasketBuffers", "The value of fKeylen is incorrect (%d) ; trying to recover by setting it to zero", fKeylen);
+      MakeZombie();
+      fKeylen = 0;
+      return 1;
+   }
+   if (fObjlen < 0) {
+      Error("ReadBasketBuffers", "The value of fObjlen is incorrect (%d) ; trying to recover by setting it to zero", fObjlen);
+      MakeZombie();
+      fObjlen = 0;
+      return 1;
+   }
+   if (fNbytes < 0) {
+      Error("ReadBasketBuffers", "The value of fNbytes is incorrect (%d) ; trying to recover by setting it to zero", fNbytes);
+      MakeZombie();
+      fNbytes = 0;
+      return 1;
+   }
+   if (fKeylen > (gMaxInt_t - fObjlen)) {
+      Error("ReadBasketBuffers", "fObjlen (%d) + fKeylen (%d) > max int (%d): cannot continue to read the key buffer.",
+            fObjlen, fKeylen, gMaxInt_t);
+      MakeZombie();
+      return 1;
+   }
 
    // Initialize buffer to hold the uncompressed data
    // Note that in previous versions we didn't allocate buffers until we verified