Avoid reading uninitialized memory when validating MiniTable.

PiperOrigin-RevId: 506163723
2 years ago · f8a3e0d684
parent 702d95891d
commit f8a3e0d684
2 changed files with 12 additions and 1 deletions
--- a/upb/message/test.cc
+++ b/upb/message/test.cc
@ -655,4 +655,8 @@ TEST(MessageTest, MapField) {
 //                                         0);
 // }
 //
+// TEST(FuzzTest, MapFieldVerify) {
+//   DecodeEncodeArbitrarySchemaAndPayload({{"%  ^!"}, {}, "", {}}, "", 0, 0);
+// }
+//
 // end:google_only
--- a/upb/mini_table/decode.c
+++ b/upb/mini_table/decode.c
@ -675,7 +675,7 @@ static void upb_MtDecoder_ValidateEntryField(upb_MtDecoder* d,
                              name, expected_num, (int)f->number);
  }

-  if (upb_IsRepeatedOrMap(f) || f->presence < 0) {
+  if (upb_IsRepeatedOrMap(f)) {
    upb_MtDecoder_ErrorFormat(
        d, "map %s cannot be repeated or map, or be in oneof", name);
  }
@ -705,6 +705,13 @@ static void upb_MtDecoder_ParseMap(upb_MtDecoder* d, const char* data,
    UPB_UNREACHABLE();
  }

+  upb_LayoutItem* end = UPB_PTRADD(d->vec.data, d->vec.size);
+  for (upb_LayoutItem* item = d->vec.data; item < end; item++) {
+    if (item->type == kUpb_LayoutItemType_OneofCase) {
+      upb_MtDecoder_ErrorFormat(d, "Map entry cannot have oneof");
+    }
+  }
+
  upb_MtDecoder_ValidateEntryField(d, &d->table->fields[0], 1);
  upb_MtDecoder_ValidateEntryField(d, &d->table->fields[1], 2);