pike.git / src / encode.c

version» Context lines:

pike.git/src/encode.c:16:   #include "dynamic_buffer.h"   #include "error.h"   #include "operators.h"   #include "builtin_functions.h"   #include "module_support.h"   #include "fsort.h"   #include "threads.h"   #include "stuff.h"   #include "version.h"    - RCSID("$Id: encode.c,v 1.26 1998/11/22 11:02:43 hubbe Exp $"); + RCSID("$Id: encode.c,v 1.27 1999/09/21 21:59:54 hubbe Exp $");      #ifdef _AIX   #include <net/nh.h>   #endif      #ifdef HAVE_NETINET_IN_H   #include <netinet/in.h>   #endif      #include <math.h>
pike.git/src/encode.c:704:       case T_INT:    tmp=data->counter;    data->counter.u.integer++;    push_int(num);    break;       case T_STRING:    tmp=data->counter;    data->counter.u.integer++; -  if(data->ptr + num > data->len) +  if(data->ptr + num > data->len || num<0)    error("Failed to decode string. (string range error)\n");    push_string(make_shared_binary_string((char *)(data->data + data->ptr), num));    data->ptr+=num;    break;       case T_FLOAT:    {    INT32 num2=num;       tmp=data->counter;    data->counter.u.integer++;       DECODE();    push_float(LDEXP((double)num2, num));    break;    }       case T_ARRAY:    { -  struct array *a=allocate_array(num); +  struct array *a; +  if(num < 0) +  error("Failed to decode string. (array size is negative)\n"); +  +  /* Heruetical */ +  if(data->ptr + num > data->len) +  error("Failed to decode array. (not enough data)\n"); +     tmp.type=T_ARRAY; -  tmp.u.array=a; +  tmp.u.array=a=allocate_array(num);    mapping_insert(data->decoded, & data->counter, &tmp);    data->counter.u.integer++;       /* Since a reference to the array is stored in the mapping, we can    * safely decrease this reference here. Thus it will be automatically    * freed if something goes wrong.    */    a->refs--;       for(e=0;e<num;e++)
pike.git/src/encode.c:752:    ref_push_array(a);    return;    }       case T_MAPPING:    {    struct mapping *m;    if(num<0)    error("Failed to decode string. (mapping size is negative)\n");    +  /* Heruetical */ +  if(data->ptr + num > data->len) +  error("Failed to decode mapping. (not enough data)\n"); +     m=allocate_mapping(num);    tmp.type=T_MAPPING;    tmp.u.mapping=m;    mapping_insert(data->decoded, & data->counter, &tmp);    data->counter.u.integer++;    m->refs--;       for(e=0;e<num;e++)    {    decode_value2(data);    decode_value2(data);    mapping_insert(m, sp-2, sp-1);    pop_n_elems(2);    }    ref_push_mapping(m);    return;    }       case T_MULTISET:    { -  struct multiset *m=mkmultiset(low_allocate_array(0, num)); +  struct multiset *m; +  if(num<0) +  error("Failed to decode string. (multiset size is negative)\n"); +  +  /* Heruetical */ +  if(data->ptr + num > data->len) +  error("Failed to decode multiset. (not enough data)\n"); +  +  m=mkmultiset(low_allocate_array(0, num));    tmp.type=T_MULTISET;    tmp.u.multiset=m;    mapping_insert(data->decoded, & data->counter, &tmp);    data->counter.u.integer++;    m->refs--;       for(e=0;e<num;e++)    {    decode_value2(data);    multiset_insert(m, sp-1);