1
0
Fork 0
mirror of https://github.com/ton-blockchain/ton synced 2025-03-09 15:40:10 +00:00

Patch/fix ub (#724)

* Fix input validation in storage-manager and bitstring

* Fix potentially dangling pointer missing_library

---------

Co-authored-by: SpyCheese <mikle98@yandex.ru>
This commit is contained in:
EmelyanenkoK 2023-07-14 15:25:07 +03:00 committed by GitHub
parent 9b34217bf0
commit ef306dd36e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 73 additions and 33 deletions

View file

@ -142,28 +142,57 @@ td::Ref<vm::Cell> CellText::do_store(td::BitSlice slice) {
}
template <class F>
void CellText::for_each(F &&f, CellSlice cs) {
td::Status CellText::for_each(F &&f, CellSlice cs) {
if (!cs.have(8)) {
return td::Status::Error("Cell underflow");
}
auto depth = cs.fetch_ulong(8);
if (depth > max_chain_length) {
return td::Status::Error("Too deep string");
}
for (td::uint32 i = 0; i < depth; i++) {
auto size = cs.fetch_ulong(8);
f(cs.fetch_bits(td::narrow_cast<int>(size) * 8));
if (!cs.have(8)) {
return td::Status::Error("Cell underflow");
}
auto size = td::narrow_cast<int>(cs.fetch_ulong(8));
if (!cs.have(size * 8)) {
return td::Status::Error("Cell underflow");
}
TRY_STATUS(f(cs.fetch_bits(size * 8)));
if (i + 1 < depth) {
if (!cs.have_refs()) {
return td::Status::Error("Cell underflow");
}
cs = vm::load_cell_slice(cs.prefetch_ref());
}
}
return td::Status::OK();
}
td::Result<td::string> CellText::load(CellSlice &cs) {
unsigned int size = 0;
for_each([&](auto slice) { size += slice.size(); }, cs);
TRY_STATUS(for_each(
[&](auto slice) {
size += slice.size();
if (size > max_bytes * 8) {
return td::Status::Error("String is too long");
}
return td::Status::OK();
},
cs));
if (size % 8 != 0) {
return td::Status::Error("Size is not divisible by 8");
}
std::string res(size / 8, 0);
td::BitPtr to(td::MutableSlice(res).ubegin());
for_each([&](auto slice) { to.concat(slice); }, cs);
TRY_STATUS(for_each(
[&](auto slice) {
to.concat(slice);
return td::Status::OK();
},
cs));
CHECK(to.offs == (int)size);
return res;
}

View file

@ -52,7 +52,7 @@ class CellText {
private:
template <class F>
static void for_each(F &&f, CellSlice cs);
static td::Status for_each(F &&f, CellSlice cs);
static td::Ref<vm::Cell> do_store(td::BitSlice slice);
};

View file

@ -633,7 +633,7 @@ Ref<Cell> VmState::load_library(td::ConstBitPtr hash) {
return lib;
}
}
missing_library = hash;
missing_library = td::Bits256{hash};
return {};
}

View file

@ -25,6 +25,7 @@
#include "vm/log.h"
#include "vm/continuation.h"
#include "td/utils/HashSet.h"
#include "td/utils/optional.h"
namespace vm {
@ -97,7 +98,7 @@ class VmState final : public VmStateInterface {
td::HashSet<CellHash> loaded_cells;
int stack_trace{0}, debug_off{0};
bool chksig_always_succeed{false};
td::ConstBitPtr missing_library{0};
td::optional<td::Bits256> missing_library;
td::uint16 max_data_depth = 512; // Default value
int global_version{0};
size_t chksgn_counter = 0;
@ -383,7 +384,7 @@ class VmState final : public VmStateInterface {
Ref<OrdCont> ref_to_cont(Ref<Cell> cell) const {
return td::make_ref<OrdCont>(load_cell_slice_ref(std::move(cell)), get_cp());
}
td::ConstBitPtr get_missing_library() const {
td::optional<td::Bits256> get_missing_library() const {
return missing_library;
}
void set_max_data_depth(td::uint16 depth) {