Fix int overflow in parser

A maliciously crafted message with a bogus body length could make the parser panic if the body length is closed to the int limit. Fixes quickfixgo#678 Signed-off-by: Sylvain Rabot <[email protected]>
sylr · Feb 25, 2025 · 6459633 · 6459633
1 parent 2ed31c3
commit 6459633
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/parser.go b/parser.go
@@ -132,7 +132,10 @@ func (p *parser) jumpLength() (int, error) {
 		return length, err
 	}
 
-	if length <= 0 {
+	// Issue 678: if length approaches the int limit, it might overflow when
+	// adding offset and make it negative so we also need to check that
+	// offset+length is not negative.
+	if length <= 0 || offset+length <= 0 {
 		return length, errors.New("Invalid length")
 	}
 

diff --git a/parser_test.go b/parser_test.go
@@ -186,3 +186,9 @@ func (s *ParserSuite) TestReadMessageGrowBuffer() {
 		s.Equal(tc.expectedBufferLen, len(s.parser.buffer))
 	}
 }
+
+// https://github.com/quickfixgo/quickfix/issues/678
+func TestIssue678(t *testing.T) {
+	parser := newParser(strings.NewReader(string("8=\x019=119999999999999999999999999999999999999999999999999999999999970\x01")))
+	_, _ = parser.ReadMessage()
+}