Added bounds check to pk and checksum to payload

Author: marcobambini

src/cloudsync.c

@@ -193,14 +193,14 @@ struct cloudsync_payload_context {
 #endif
 
 typedef struct PACKED {
-    uint32_t    signature;         // 'CLSY'
-    uint8_t     version;           // protocol version
-    uint8_t     libversion[3];     // major.minor.patch
+    uint32_t    signature;          // 'CLSY'
+    uint8_t     version;            // protocol version
+    uint8_t     libversion[3];      // major.minor.patch
     uint32_t    expanded_size;
     uint16_t    ncols;
     uint32_t    nrows;
     uint64_t    schema_hash;
-    uint8_t     unused[6];        // padding to ensure the struct is exactly 32 bytes
+    uint8_t     checksum[6];        // 48 bits checksum (to ensure struct is 32 bytes)
 } cloudsync_payload_header;
 
 #ifdef _MSC_VER
@@ -1949,6 +1949,31 @@ int local_update_move_meta (cloudsync_table_context *table, const char *pk, size
 
 // MARK: - Payload Encode / Decode -
 
+static void cloudsync_payload_checksum_store (cloudsync_payload_header *header, uint64_t checksum) {
+    uint64_t h = checksum & 0xFFFFFFFFFFFFULL; // keep 48 bits
+    header->checksum[0] = (uint8_t)(h >> 40);
+    header->checksum[1] = (uint8_t)(h >> 32);
+    header->checksum[2] = (uint8_t)(h >> 24);
+    header->checksum[3] = (uint8_t)(h >> 16);
+    header->checksum[4] = (uint8_t)(h >>  8);
+    header->checksum[5] = (uint8_t)(h >>  0);
+}
+
+static uint64_t cloudsync_payload_checksum_load (cloudsync_payload_header *header) {
+    return ((uint64_t)header->checksum[0] << 40) |
+           ((uint64_t)header->checksum[1] << 32) |
+           ((uint64_t)header->checksum[2] << 24) |
+           ((uint64_t)header->checksum[3] << 16) |
+           ((uint64_t)header->checksum[4] <<  8) |
+           ((uint64_t)header->checksum[5] <<  0);
+}
+
+static bool cloudsync_payload_checksum_verify (cloudsync_payload_header *header, uint64_t checksum) {
+    uint64_t checksum1 = cloudsync_payload_checksum_load(header);
+    uint64_t checksum2 = checksum & 0xFFFFFFFFFFFFULL;
+    return (checksum1 == checksum2);
+}
+
 static bool cloudsync_payload_encode_check (cloudsync_payload_context *payload, size_t needed) {
     if (payload->nrows == 0) needed += sizeof(cloudsync_payload_header);
 
@@ -2008,7 +2033,9 @@ int cloudsync_payload_encode_step (cloudsync_payload_context *payload, cloudsync
     }
 
     char *buffer = payload->buffer + payload->bused;
-    pk_encode((dbvalue_t **)argv, argc, buffer, false, NULL, data->skip_decode_idx);
+    size_t bsize = payload->balloc - payload->bused;
+    char *p = pk_encode((dbvalue_t **)argv, argc, buffer, false, &bsize, data->skip_decode_idx);
+    if (!p) cloudsync_set_error(data, "An error occurred while encoding payload", DBRES_ERROR);
 
     // update buffer
     payload->bused += breq;
@@ -2077,6 +2104,10 @@ int cloudsync_payload_encode_final (cloudsync_payload_context *payload, cloudsyn
         zused = real_buffer_size;
     }
 
+    // compute checksum of the buffer
+    uint64_t checksum = pk_checksum(zbuffer + header_size, zused);
+    cloudsync_payload_checksum_store(&header, checksum);
+    
     // copy header and data to SQLite BLOB
     memcpy(zbuffer, &header, sizeof(cloudsync_payload_header));
     int blob_size = zused + sizeof(cloudsync_payload_header);
@@ -2179,6 +2210,12 @@ int cloudsync_payload_apply (cloudsync_context *data, const char *payload, int b
     const char *buffer = payload + sizeof(cloudsync_payload_header);
     blen -= sizeof(cloudsync_payload_header);
 
+    // sanity check checksum
+    uint64_t checksum = pk_checksum(buffer, blen);
+    if (cloudsync_payload_checksum_verify(&header, checksum) == false) {
+        return cloudsync_set_error(data, "Error on cloudsync_payload_apply: invalid checksum", DBRES_MISUSE);
+    }
+    
     // check if payload is compressed
     char *clone = NULL;
     if (header.expanded_size != 0) {
@@ -2216,7 +2253,12 @@ int cloudsync_payload_apply (cloudsync_context *data, const char *payload, int b
 
     for (uint32_t i=0; i<nrows; ++i) {
         size_t seek = 0;
-        pk_decode((char *)buffer, blen, ncols, &seek, data->skip_decode_idx, cloudsync_payload_decode_callback, &decoded_context);
+        int res = pk_decode((char *)buffer, blen, ncols, &seek, data->skip_decode_idx, cloudsync_payload_decode_callback, &decoded_context);
+        if (res == -1) {
+            if (in_savepoint) database_rollback_savepoint(data, "cloudsync_payload_apply");
+            rc = DBRES_ERROR;
+            goto cleanup;
+        }
         // n is the pk_decode return value, I don't think I should assert here because in any case the next databasevm_step would fail
         // assert(n == ncols);
 
@@ -2301,6 +2343,7 @@ int cloudsync_payload_apply (cloudsync_context *data, const char *payload, int b
         }
     }
 
+cleanup:
     // cleanup vm
     if (vm) databasevm_finalize(vm);
 

src/endian.h

@@ -0,0 +1,99 @@
+//
+//  endian.h
+//  cloudsync
+//
+//  Created by Marco Bambini on 17/01/26.
+//
+
+#ifndef __CLOUDSYNC_ENDIAN__
+#define __CLOUDSYNC_ENDIAN__
+
+#include <stdint.h>
+
+#if defined(_MSC_VER)
+  #include <stdlib.h>   // _byteswap_uint64
+#endif
+
+// =======================================================
+//  bswap64 - portable
+// =======================================================
+
+static inline uint64_t bswap64_u64(uint64_t v) {
+#if defined(_MSC_VER)
+    return _byteswap_uint64(v);
+
+#elif defined(__has_builtin)
+  #if __has_builtin(__builtin_bswap64)
+    return __builtin_bswap64(v);
+  #else
+    return ((v & 0x00000000000000FFull) << 56) |
+           ((v & 0x000000000000FF00ull) << 40) |
+           ((v & 0x0000000000FF0000ull) << 24) |
+           ((v & 0x00000000FF000000ull) <<  8) |
+           ((v & 0x000000FF00000000ull) >>  8) |
+           ((v & 0x0000FF0000000000ull) >> 24) |
+           ((v & 0x00FF000000000000ull) >> 40) |
+           ((v & 0xFF00000000000000ull) >> 56);
+  #endif
+
+#elif defined(__GNUC__) || defined(__clang__)
+    return __builtin_bswap64(v);
+
+#else
+    return ((v & 0x00000000000000FFull) << 56) |
+           ((v & 0x000000000000FF00ull) << 40) |
+           ((v & 0x0000000000FF0000ull) << 24) |
+           ((v & 0x00000000FF000000ull) <<  8) |
+           ((v & 0x000000FF00000000ull) >>  8) |
+           ((v & 0x0000FF0000000000ull) >> 24) |
+           ((v & 0x00FF000000000000ull) >> 40) |
+           ((v & 0xFF00000000000000ull) >> 56);
+#endif
+}
+
+// =======================================================
+//  Compile-time endianness detection
+// =======================================================
+
+#if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && defined(__ORDER_BIG_ENDIAN__)
+  #if (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
+    #define HOST_IS_LITTLE_ENDIAN 1
+  #elif (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)
+    #define HOST_IS_LITTLE_ENDIAN 0
+  #endif
+#endif
+
+// WebAssembly is currently defined as little-endian in all major toolchains
+#if !defined(HOST_IS_LITTLE_ENDIAN) && (defined(__wasm__) || defined(__EMSCRIPTEN__))
+  #define HOST_IS_LITTLE_ENDIAN 1
+#endif
+
+// Runtime fallback if unknown at compile-time
+static inline int host_is_little_endian_runtime (void) {
+    const uint16_t x = 1;
+    return *((const uint8_t*)&x) == 1;
+}
+
+// =======================================================
+//  Public API
+// =======================================================
+
+static inline uint64_t host_to_be64 (uint64_t v) {
+#if defined(HOST_IS_LITTLE_ENDIAN)
+  #if HOST_IS_LITTLE_ENDIAN
+    return bswap64_u64(v);
+  #else
+    return v;
+  #endif
+#else
+    return host_is_little_endian_runtime() ? bswap64_u64(v) : v;
+#endif
+}
+
+static inline uint64_t be64_to_host (uint64_t v) {
+    // same operation (bswap if little-endian)
+    return host_to_be64(v);
+}
+
+#endif
+