Describe the bug, including details regarding any error messages, version, and platform.
Describe the bug
BufferBuilder and TypedBufferBuilder perform unchecked integer arithmetic in size calculations such as:
- size_ + additional_bytes
- num_elements * sizeof(T)
These operations can overflow, leading to incorrect buffer size calculations.
To Reproduce
The issue can be triggered through JSON parsing, where untrusted input controls array sizes, string lengths, and element counts. These values are propagated to BufferBuilder and TypedBufferBuilder.
Expected behavior
Buffer size calculations should be overflow-safe and reject invalid or excessively large inputs.
Actual behavior
Overflow in size computations may wrap around, resulting in under-allocation of buffers and potential out-of-bounds writes.
Additional context
This affects code paths used by the JSON parser (parser.cc), meaning untrusted input can reach these unsafe operations.
Component(s)
C++
Describe the bug, including details regarding any error messages, version, and platform.
Describe the bug
BufferBuilder and TypedBufferBuilder perform unchecked integer arithmetic in size calculations such as:
These operations can overflow, leading to incorrect buffer size calculations.
To Reproduce
The issue can be triggered through JSON parsing, where untrusted input controls array sizes, string lengths, and element counts. These values are propagated to BufferBuilder and TypedBufferBuilder.
Expected behavior
Buffer size calculations should be overflow-safe and reject invalid or excessively large inputs.
Actual behavior
Overflow in size computations may wrap around, resulting in under-allocation of buffers and potential out-of-bounds writes.
Additional context
This affects code paths used by the JSON parser (parser.cc), meaning untrusted input can reach these unsafe operations.
Component(s)
C++