Fixed a fuzz bug when a negative oneof_index is provided.

PiperOrigin-RevId: 647789835
5 months ago · 62e07e367a
parent 32bedd9b8a
commit 62e07e367a
2 changed files with 12 additions and 1 deletions
--- a/upb/reflection/field_def.c
+++ b/upb/reflection/field_def.c
@ -648,7 +648,7 @@ static void _upb_FieldDef_Create(upb_DefBuilder* ctx, const char* prefix,
                           f->full_name);
    }

-    if (oneof_index >= upb_MessageDef_OneofCount(m)) {
+    if (oneof_index < 0 || oneof_index >= upb_MessageDef_OneofCount(m)) {
      _upb_DefBuilder_Errf(ctx, "oneof_index out of range (%s)", f->full_name);
    }

--- a/upb/util/def_to_proto_test.cc
+++ b/upb/util/def_to_proto_test.cc
@ -333,4 +333,15 @@ TEST(FuzzTest, RoundTripDescriptorRegressionOneofSameName) {
           })pb"));
 }

+TEST(FuzzTest, NegativeOneofIndex) {
+  RoundTripDescriptor(ParseTextProtoOrDie(
+      R"pb(file {
+             message_type {
+               name: "A"
+               field { name: "A" number: 0 type_name: "" oneof_index: -1 }
+             }
+           }
+      )pb"));
+}
+
 }  // namespace upb_test