fix fuzzer failure due to a bad map descriptor

Maps may only have exactly two fields. Fail when we see otherwise. PiperOrigin-RevId: 494634279
2 years ago · 11fc16328a
parent e6e48dfea3
commit 11fc16328a
2 changed files with 21 additions and 0 deletions
--- a/upb/message/test.cc
+++ b/upb/message/test.cc
@ -590,4 +590,10 @@ TEST(MessageTest, MapField) {
 //       901979906, 65537);
 // }
 //
+// // This test encodes a map field with extra cruft.
+// TEST(FuzzTest, DecodeEncodeArbitrarySchemaAndPayloadRegressionInvalidMap) {
+//   DecodeEncodeArbitrarySchemaAndPayload({{"%%%%///////"}, {}, "", {}},
+//                                         std::string("\035|", 2), 65536, 3);
+// }
+//
 // end:google_only
--- a/upb/mini_table/decode.c
+++ b/upb/mini_table/decode.c
@ -693,6 +693,21 @@ static void upb_MtDecoder_ParseMap(upb_MtDecoder* d, const char* data,
  }

  upb_MtDecoder_ParseMessage(d, data, len);
+  if (UPB_UNLIKELY(d->table->field_count != 2)) {
+    upb_MtDecoder_ErrorFormat(d, "%hu fields in map", d->table->field_count);
+    UPB_UNREACHABLE();
+  }
+  if (UPB_UNLIKELY(d->table->fields[0].number != 1)) {
+    upb_MtDecoder_ErrorFormat(d, "field %d in map key",
+                              d->table->fields[0].number);
+    UPB_UNREACHABLE();
+  }
+  if (UPB_UNLIKELY(d->table->fields[1].number != 2)) {
+    upb_MtDecoder_ErrorFormat(d, "field %d in map val",
+                              d->table->fields[1].number);
+    UPB_UNREACHABLE();
+  }
+
  upb_MtDecoder_AssignHasbits(d->table);

  // Map entries have a pre-determined layout, regardless of types.