Fix std/cbor decoding multi-byte 0-length strings
Updates https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25041
diff --git a/release/c/wuffs-unsupported-snapshot.c b/release/c/wuffs-unsupported-snapshot.c
index ca45518..2392f68 100644
--- a/release/c/wuffs-unsupported-snapshot.c
+++ b/release/c/wuffs-unsupported-snapshot.c
@@ -17010,12 +17010,13 @@
goto label__goto_parsed_a_leaf_value__break;
}
} else if (v_c_major == 2) {
- if (v_c_minor == 0) {
- *iop_a_dst++ = wuffs_base__make_token(
- (((uint64_t)(4194560)) << WUFFS_BASE__TOKEN__VALUE_MINOR__SHIFT) |
- (((uint64_t)(1)) << WUFFS_BASE__TOKEN__LENGTH__SHIFT));
- goto label__goto_parsed_a_leaf_value__break;
- } else if (v_c_minor < 28) {
+ if (v_c_minor < 28) {
+ if (v_string_length == 0) {
+ *iop_a_dst++ = wuffs_base__make_token(
+ (((uint64_t)(4194560)) << WUFFS_BASE__TOKEN__VALUE_MINOR__SHIFT) |
+ (((uint64_t)(((uint32_t)(WUFFS_CBOR__TOKEN_LENGTHS[v_c_minor])))) << WUFFS_BASE__TOKEN__LENGTH__SHIFT));
+ goto label__goto_parsed_a_leaf_value__break;
+ }
*iop_a_dst++ = wuffs_base__make_token(
(((uint64_t)(4194560)) << WUFFS_BASE__TOKEN__VALUE_MINOR__SHIFT) |
(((uint64_t)(1)) << WUFFS_BASE__TOKEN__CONTINUED__SHIFT) |
@@ -17075,12 +17076,13 @@
goto label__goto_parsed_a_leaf_value__break;
}
} else if (v_c_major == 3) {
- if (v_c_minor == 0) {
- *iop_a_dst++ = wuffs_base__make_token(
- (((uint64_t)(4194579)) << WUFFS_BASE__TOKEN__VALUE_MINOR__SHIFT) |
- (((uint64_t)(1)) << WUFFS_BASE__TOKEN__LENGTH__SHIFT));
- goto label__goto_parsed_a_leaf_value__break;
- } else if (v_c_minor < 28) {
+ if (v_c_minor < 28) {
+ if (v_string_length == 0) {
+ *iop_a_dst++ = wuffs_base__make_token(
+ (((uint64_t)(4194579)) << WUFFS_BASE__TOKEN__VALUE_MINOR__SHIFT) |
+ (((uint64_t)(((uint32_t)(WUFFS_CBOR__TOKEN_LENGTHS[v_c_minor])))) << WUFFS_BASE__TOKEN__LENGTH__SHIFT));
+ goto label__goto_parsed_a_leaf_value__break;
+ }
*iop_a_dst++ = wuffs_base__make_token(
(((uint64_t)(4194579)) << WUFFS_BASE__TOKEN__VALUE_MINOR__SHIFT) |
(((uint64_t)(1)) << WUFFS_BASE__TOKEN__CONTINUED__SHIFT) |
diff --git a/std/cbor/decode_cbor.wuffs b/std/cbor/decode_cbor.wuffs
index e9da238..77b1097 100644
--- a/std/cbor/decode_cbor.wuffs
+++ b/std/cbor/decode_cbor.wuffs
@@ -294,15 +294,16 @@
} else if c_major == 2 {
// -------- BEGIN Major type 2: a byte string.
- if c_minor == 0x00 {
- args.dst.write_simple_token_fast!(
- value_major: 0,
- value_minor: (base.TOKEN__VBC__STRING << 21) |
- base.TOKEN__VBD__STRING__CONVERT_0_DST_1_SRC_DROP,
- continued: 0,
- length: 1)
- break.goto_parsed_a_leaf_value
- } else if c_minor < 0x1C {
+ if c_minor < 0x1C {
+ if string_length == 0 {
+ args.dst.write_simple_token_fast!(
+ value_major: 0,
+ value_minor: (base.TOKEN__VBC__STRING << 21) |
+ base.TOKEN__VBD__STRING__CONVERT_0_DST_1_SRC_DROP,
+ continued: 0,
+ length: TOKEN_LENGTHS[c_minor] as base.u32)
+ break.goto_parsed_a_leaf_value
+ }
args.dst.write_simple_token_fast!(
value_major: 0,
value_minor: (base.TOKEN__VBC__STRING << 21) |
@@ -367,18 +368,19 @@
} else if c_major == 3 {
// -------- BEGIN Major type 3: a text string.
- if c_minor == 0x00 {
- args.dst.write_simple_token_fast!(
- value_major: 0,
- value_minor: (base.TOKEN__VBC__STRING << 21) |
- base.TOKEN__VBD__STRING__DEFINITELY_UTF_8 |
- base.TOKEN__VBD__STRING__CHAIN_MUST_BE_UTF_8 |
- base.TOKEN__VBD__STRING__DEFINITELY_ASCII |
- base.TOKEN__VBD__STRING__CONVERT_0_DST_1_SRC_DROP,
- continued: 0,
- length: 1)
- break.goto_parsed_a_leaf_value
- } else if c_minor < 0x1C {
+ if c_minor < 0x1C {
+ if string_length == 0 {
+ args.dst.write_simple_token_fast!(
+ value_major: 0,
+ value_minor: (base.TOKEN__VBC__STRING << 21) |
+ base.TOKEN__VBD__STRING__DEFINITELY_UTF_8 |
+ base.TOKEN__VBD__STRING__CHAIN_MUST_BE_UTF_8 |
+ base.TOKEN__VBD__STRING__DEFINITELY_ASCII |
+ base.TOKEN__VBD__STRING__CONVERT_0_DST_1_SRC_DROP,
+ continued: 0,
+ length: TOKEN_LENGTHS[c_minor] as base.u32)
+ break.goto_parsed_a_leaf_value
+ }
args.dst.write_simple_token_fast!(
value_major: 0,
value_minor: (base.TOKEN__VBC__STRING << 21) |