prevent overflow

jpnurmi · jpnurmi · commit 41b42271adfb · 2025-07-25T09:11:46.000+02:00
diff --git a/src/sentry_envelope.c b/src/sentry_envelope.c
@@ -10,6 +10,7 @@
 #include "sentry_transport.h"
 #include "sentry_value.h"
 #include <assert.h>
+#include <limits.h>
 #include <string.h>
 
 struct sentry_envelope_item_s {
@@ -821,7 +822,8 @@ sentry_envelope_deserialize(const char *buf, size_t buf_len)
             item->payload_len = (size_t)payload_len;
         }
         if (item->payload_len > 0) {
-            if (ptr + item->payload_len > end) {
+            if (ptr + item->payload_len > end
+                || item->payload_len > INT32_MAX - 1) {
                 goto fail;
             }
             item->payload = sentry_malloc(item->payload_len + 1);
diff --git a/tests/unit/test_envelopes.c b/tests/unit/test_envelopes.c
@@ -670,4 +670,8 @@ SENTRY_TEST(deserialize_envelope_invalid)
     TEST_CHECK(!sentry_envelope_deserialize("{}\n{}", 5));
     TEST_CHECK(!sentry_envelope_deserialize("{}\ninvalid\n", 11));
     TEST_CHECK(!sentry_envelope_deserialize("invalid", 7));
+    TEST_CHECK(!sentry_envelope_deserialize("{}\n{\"length\":-1}\n", 17));
+    char buf[128];
+    snprintf(buf, sizeof(buf), "{}\n{\"length\":%d}\n", INT32_MAX);
+    TEST_CHECK(!sentry_envelope_deserialize(buf, strlen(buf)));
 }

Original file line number	Diff line number	Diff line change
`@@ -670,4 +670,8 @@ SENTRY_TEST(deserialize_envelope_invalid)`
`670`	`670`	`TEST_CHECK(!sentry_envelope_deserialize("{}\n{}", 5));`
`671`	`671`	`TEST_CHECK(!sentry_envelope_deserialize("{}\ninvalid\n", 11));`
`672`	`672`	`TEST_CHECK(!sentry_envelope_deserialize("invalid", 7));`
	`673`	`+ TEST_CHECK(!sentry_envelope_deserialize("{}\n{\"length\":-1}\n", 17));`
	`674`	`+ char buf[128];`
	`675`	`+ snprintf(buf, sizeof(buf), "{}\n{\"length\":%d}\n", INT32_MAX);`
	`676`	`+ TEST_CHECK(!sentry_envelope_deserialize(buf, strlen(buf)));`
`673`	`677`	`}`