Crashes in gvariant related to bytes.len() - 1

[zeenix]

In GitLab by @jwestman on Apr 19, 2022, 06:34

Reproducer:

use zvariant::{EncodingContext as Context, from_slice, Value};
use byteorder::LE;

fn main() {
    let ctx = Context::<LE>::new_gvariant(0);
    let value: Result<Value, _> = from_slice(&vec![], ctx);
}

thread 'main' panicked at 'attempt to subtract with overflow', /home/jwestman/.cargo/registry/src/github.com-1ecc6299db9ec823/zvariant-3.1.2/src/gvariant/de.rs:694:29

Some invalid inputs--particularly, an empty input--cause zvariant to panic rather than return an appropriate error. This case is an integer underflow at zvariant/src/gvariant/de.rs:702 when the length of the message is 0. There are several other instances of len() - 1 in the same file, and I suspect they are also susceptible to invalid inputs.

[zeenix]

@jwestman Thanks so much for reporting this with all the details. I'm currently on PTO but I'll try and have a look soon. If you could provide a merge request, that'd be even more helpful and greatly appreciated.

[zeenix]

In GitLab by @jwestman on Apr 19, 2022, 19:17

Opened an MR: https://gitlab.freedesktop.org/dbus/zbus/-/merge_requests/484

There's another panic at zvariant/src/framing_offsets.rs:23, but I'm not sure how to fix that one.

[zeenix]

Opened an MR: https://gitlab.freedesktop.org/dbus/zbus/-/merge_requests/484

:thumbsup:

There's another panic at zvariant/src/framing_offsets.rs:23, but I'm not sure how to fix that one.

If you could just add simple test case, that'd already be very helpful.

[zeenix]

mentioned in commit 6edb88a6551fdee00c6953f1fef7a5c09c31f543