commit 234fe42429e6a814626bb7f7c2dd6a41279154b9
author Laurence Lundblade <lgl@securitytheory.com> Mon Dec 02 13:04:34 2019 -0800
committer Tamas Ban <tamas.ban@arm.com> Thu Jan 23 13:33:03 2020 +0000
tree b62bcc2d57e34b047a90293e77c2ff3a338b0f54
parent a995432c475dcf14fc189b2d689e05573a0c85a2

QCBOR: Improve handling of end of data and error; add indefinite length encoding

 * Minor improvements / fixes in run_test framework

 * Add CBOR indefinite length encoding

 * Recheck pointer math in UsefulBuf and remove "TODO"

 * Better error handling of not-well-formed CBOR when decoding

 * Better handling of end of data when decoding

 * Better handling of encode error when out of space in output buffer

Change-Id: Ib8dc2af95bc533b7905648d8f8c3b1bf1c42ba44
Signed-off-by: Laurence Lundblade <lgl@securitytheory.com>

lib/ext/qcbor/src/UsefulBuf.c

diff --git a/lib/ext/qcbor/src/UsefulBuf.c b/lib/ext/qcbor/src/UsefulBuf.c
index f13dad2..0c336b8 100644
--- a/lib/ext/qcbor/src/UsefulBuf.c
+++ b/lib/ext/qcbor/src/UsefulBuf.c
@@ -41,6 +41,7 @@
 
  when               who             what, where, why
  --------           ----            ---------------------------------------------------
+ 11/08/2019         llundblade      Re check pointer math and update comments
  3/6/2019           llundblade      Add UsefulBuf_IsValue()
  09/07/17           llundbla        Fix critical bug in UsefulBuf_Find() -- a read off
                                     the end of memory when the bytes to find is longer
@@ -222,7 +223,7 @@
    }
 
    /* 1. Will it fit? */
-   // WillItFit() is the same as: NewData.len <= (me->size - me->data_len)
+   // WillItFit() is the same as: NewData.len <= (me->UB.len - me->data_len)
    // Check #1 makes sure subtraction in RoomLeft will not wrap around
    if(! UsefulOutBuf_WillItFit(pMe, NewData.len)) { // Check #2
       // The new data will not fit into the the buffer.
@@ -231,7 +232,9 @@
    }
 
    /* 2. Check the Insertion Position */
-   // This, with Check #1, also confirms that uInsertionPos <= me->data_len
+   // This, with Check #1, also confirms that uInsertionPos <= me->data_len and
+   // that uInsertionPos + pMe->UB.ptr will not wrap around the end of the
+   // address space.
    if(uInsertionPos > pMe->data_len) { // Check #3
       // Off the end of the valid data in the buffer.
       pMe->err = 1;
@@ -245,6 +248,7 @@
 
    if(uNumBytesToMove && pMe->UB.ptr) {
       // To know memmove won't go off end of destination, see PtrMath #4
+      // Use memove because it handles overlapping buffers
       memmove(pDestinationOfMove, pSourceOfMove, uNumBytesToMove);
    }
 
@@ -254,7 +258,7 @@
       // To know memmove won't go off end of destination, see PtrMath #6
       memmove(pInsertionPoint, NewData.ptr, NewData.len);
    }
-   pMe->data_len += NewData.len ;
+   pMe->data_len += NewData.len;
 }
 
 
@@ -269,9 +273,9 @@
  PtrMath #2 will never wrap around under because
     Check #3 makes sure uInsertionPos is less than me->data_len
 
- PtrMath #3 will never wrap around over because   todo
-    PtrMath #1 is checked resulting in pSourceOfMove being between me->UB.ptr and a maximum valid ptr
-    Check #2 that NewData.len will fit
+ PtrMath #3 will never wrap around over because
+    PtrMath #1 is checked resulting in pSourceOfMove being between me->UB.ptr and me->UB.ptr + me->data_len
+    Check #2 that NewData.len will fit in the unused space left in me->UB
 
  PtrMath #4 will never wrap under because
     Calculation for extent or memmove is uRoomInDestination  = me->UB.len - (uInsertionPos + NewData.len)