ref: use SIZE_MAX in sentry_envelope_deserialize (#1328)

jpnurmi · JoshuaMoelans · web-flow · commit 79bf2dbc59b2 · 2025-08-01T13:01:26.000+02:00
* ref: use SIZE_MAX in sentry_envelope_deserialize

* restore payload_len &lt; 0 check

* fix length parsing vuln

* Update src/sentry_envelope.c

Co-authored-by: JoshuaMoelans &lt;60878493+JoshuaMoelans@users.noreply.github.com&gt;

---------

Co-authored-by: JoshuaMoelans &lt;60878493+JoshuaMoelans@users.noreply.github.com&gt;
diff --git a/src/sentry_envelope.c b/src/sentry_envelope.c
@@ -814,20 +814,22 @@ sentry_envelope_deserialize(const char *buf, size_t buf_len)
                 payload_end = end;
             }
             item->payload_len = (size_t)(payload_end - ptr);
+        } else if (sentry_value_get_type(length) == SENTRY_VALUE_TYPE_UINT64) {
+            uint64_t payload_len = sentry_value_as_uint64(length);
+            if (payload_len >= SIZE_MAX) {
+                goto fail;
+            }
+            item->payload_len = (size_t)payload_len;
         } else {
-            // TODO: sentry_value_as_uint64
-            // https://github.com/getsentry/sentry-native/pull/1301
-            int payload_len = sentry_value_as_int32(length);
-            if (payload_len < 0) {
+            int64_t payload_len = sentry_value_as_int64(length);
+            if (payload_len < 0 || (uint64_t)payload_len >= SIZE_MAX) {
                 goto fail;
             }
             item->payload_len = (size_t)payload_len;
         }
         if (item->payload_len > 0) {
-            // TODO: SIZE_MAX
-            // https://github.com/getsentry/sentry-native/pull/1301
             if (ptr + item->payload_len > end
-                || item->payload_len > INT32_MAX - 1) {
+                || item->payload_len >= SIZE_MAX) {
                 goto fail;
             }
             item->payload = sentry_malloc(item->payload_len + 1);
diff --git a/tests/unit/test_envelopes.c b/tests/unit/test_envelopes.c
@@ -671,9 +671,7 @@ SENTRY_TEST(deserialize_envelope_invalid)
     TEST_CHECK(!sentry_envelope_deserialize("{}\ninvalid\n", 11));
     TEST_CHECK(!sentry_envelope_deserialize("invalid", 7));
     TEST_CHECK(!sentry_envelope_deserialize("{}\n{\"length\":-1}\n", 17));
-    // TODO: SIZE_MAX
-    // https://github.com/getsentry/sentry-native/pull/1301
     char buf[128];
-    snprintf(buf, sizeof(buf), "{}\n{\"length\":%d}\n", INT32_MAX);
+    snprintf(buf, sizeof(buf), "{}\n{\"length\":%zu}\n", SIZE_MAX);
     TEST_CHECK(!sentry_envelope_deserialize(buf, strlen(buf)));
 }
