I found this via fuzzing and I already had the fix in the PR #221 but it did not receive any attention. So this PR is my next attempt to land this fix. This time with a minimal reproducer testcase. The problem is essentially the same as I fixed in PR #203. When attempting to decode a corrupted FixedArray of a dynamically sized type (e.g., string[5] or uint[5][]) one needs to check whether the offset is legitimate to avoid panicking.
f0rki
commented
3 years ago
I found this via fuzzing and I already had the fix in the PR #221 but it did not receive any attention. So this PR is my next attempt to land this fix. This time with a minimal reproducer testcase. The problem is essentially the same as I fixed in PR #203. When attempting to decode a corrupted FixedArray of a dynamically sized type (e.g.,
string[5]oruint[5][]) one needs to check whether the offset is legitimate to avoid panicking.