Patch/fix ub (#724)

* Fix input validation in storage-manager and bitstring * Fix potentially dangling pointer missing_library --------- Co-authored-by: SpyCheese <mikle98@yandex.ru>
2025-03-09 15:40:10 +00:00 · 2023-07-14 15:25:07 +03:00 · 2023-07-14 15:25:07 +03:00 · ef306dd36e
commit ef306dd36e
parent 9b34217bf0
10 changed files with 73 additions and 33 deletions
--- a/crypto/vm/cells/CellString.cpp
+++ b/crypto/vm/cells/CellString.cpp
@ -142,28 +142,57 @@ td::Ref<vm::Cell> CellText::do_store(td::BitSlice slice) {
 }

 template <class F>
-void CellText::for_each(F &&f, CellSlice cs) {
+td::Status CellText::for_each(F &&f, CellSlice cs) {
+  if (!cs.have(8)) {
+    return td::Status::Error("Cell underflow");
+  }
  auto depth = cs.fetch_ulong(8);
+  if (depth > max_chain_length) {
+    return td::Status::Error("Too deep string");
+  }

  for (td::uint32 i = 0; i < depth; i++) {
-    auto size = cs.fetch_ulong(8);
-    f(cs.fetch_bits(td::narrow_cast<int>(size) * 8));
+    if (!cs.have(8)) {
+      return td::Status::Error("Cell underflow");
+    }
+    auto size = td::narrow_cast<int>(cs.fetch_ulong(8));
+    if (!cs.have(size * 8)) {
+      return td::Status::Error("Cell underflow");
+    }
+    TRY_STATUS(f(cs.fetch_bits(size * 8)));
    if (i + 1 < depth) {
+      if (!cs.have_refs()) {
+        return td::Status::Error("Cell underflow");
+      }
      cs = vm::load_cell_slice(cs.prefetch_ref());
    }
  }
+  return td::Status::OK();
 }

 td::Result<td::string> CellText::load(CellSlice &cs) {
  unsigned int size = 0;
-  for_each([&](auto slice) { size += slice.size(); }, cs);
+  TRY_STATUS(for_each(
+      [&](auto slice) {
+        size += slice.size();
+        if (size > max_bytes * 8) {
+          return td::Status::Error("String is too long");
+        }
+        return td::Status::OK();
+      },
+      cs));
  if (size % 8 != 0) {
    return td::Status::Error("Size is not divisible by 8");
  }
  std::string res(size / 8, 0);

  td::BitPtr to(td::MutableSlice(res).ubegin());
-  for_each([&](auto slice) { to.concat(slice); }, cs);
+  TRY_STATUS(for_each(
+      [&](auto slice) {
+        to.concat(slice);
+        return td::Status::OK();
+      },
+      cs));
  CHECK(to.offs == (int)size);
  return res;
 }
--- a/crypto/vm/cells/CellString.h
+++ b/crypto/vm/cells/CellString.h
@ -52,7 +52,7 @@ class CellText {

 private:
  template <class F>
-  static void for_each(F &&f, CellSlice cs);
+  static td::Status for_each(F &&f, CellSlice cs);
  static td::Ref<vm::Cell> do_store(td::BitSlice slice);
 };

--- a/crypto/vm/vm.cpp
+++ b/crypto/vm/vm.cpp
@ -633,7 +633,7 @@ Ref<Cell> VmState::load_library(td::ConstBitPtr hash) {
      return lib;
    }
  }
-  missing_library = hash;
+  missing_library = td::Bits256{hash};
  return {};
 }

--- a/crypto/vm/vm.h
+++ b/crypto/vm/vm.h
@ -25,6 +25,7 @@
 #include "vm/log.h"
 #include "vm/continuation.h"
 #include "td/utils/HashSet.h"
+#include "td/utils/optional.h"

 namespace vm {

@ -97,7 +98,7 @@ class VmState final : public VmStateInterface {
  td::HashSet<CellHash> loaded_cells;
  int stack_trace{0}, debug_off{0};
  bool chksig_always_succeed{false};
-  td::ConstBitPtr missing_library{0};
+  td::optional<td::Bits256> missing_library;
  td::uint16 max_data_depth = 512; // Default value
  int global_version{0};
  size_t chksgn_counter = 0;
@ -383,7 +384,7 @@ class VmState final : public VmStateInterface {
  Ref<OrdCont> ref_to_cont(Ref<Cell> cell) const {
    return td::make_ref<OrdCont>(load_cell_slice_ref(std::move(cell)), get_cp());
  }
-  td::ConstBitPtr get_missing_library() const {
+  td::optional<td::Bits256> get_missing_library() const {
    return missing_library;
  }
  void set_max_data_depth(td::uint16 depth) {