Add checks to verifier (#7438)
diff --git a/include/flatbuffers/verifier.h b/include/flatbuffers/verifier.h index d100bf4..dd46dcf 100644 --- a/include/flatbuffers/verifier.h +++ b/include/flatbuffers/verifier.h
@@ -25,22 +25,24 @@ // Helper class to verify the integrity of a FlatBuffer class Verifier FLATBUFFERS_FINAL_CLASS { public: - Verifier(const uint8_t *buf, size_t buf_len, uoffset_t _max_depth = 64, - uoffset_t _max_tables = 1000000, bool _check_alignment = true) + Verifier(const uint8_t *const buf, const size_t buf_len, + const uoffset_t _max_depth = 64, + const uoffset_t _max_tables = 1000000, + const bool _check_alignment = true) : buf_(buf), size_(buf_len), - depth_(0), max_depth_(_max_depth), - num_tables_(0), max_tables_(_max_tables), - upper_bound_(0), check_alignment_(_check_alignment), + upper_bound_(0), + depth_(0), + num_tables_(0), flex_reuse_tracker_(nullptr) { FLATBUFFERS_ASSERT(size_ < FLATBUFFERS_MAX_BUFFER_SIZE); } // Central location where any verification failures register. - bool Check(bool ok) const { + bool Check(const bool ok) const { // clang-format off #ifdef FLATBUFFERS_DEBUG_VERIFICATION_FAILURE FLATBUFFERS_ASSERT(ok); @@ -54,7 +56,7 @@ } // Verify any range within the buffer. - bool Verify(size_t elem, size_t elem_len) const { + bool Verify(const size_t elem, const size_t elem_len) const { // clang-format off #ifdef FLATBUFFERS_TRACK_VERIFIER_BUFFER_SIZE auto upper_bound = elem + elem_len; @@ -65,52 +67,52 @@ return Check(elem_len < size_ && elem <= size_ - elem_len); } - bool VerifyAlignment(size_t elem, size_t align) const { + bool VerifyAlignment(const size_t elem, const size_t align) const { return Check((elem & (align - 1)) == 0 || !check_alignment_); } // Verify a range indicated by sizeof(T). - template<typename T> bool Verify(size_t elem) const { + template<typename T> bool Verify(const size_t elem) const { return VerifyAlignment(elem, sizeof(T)) && Verify(elem, sizeof(T)); } - bool VerifyFromPointer(const uint8_t *p, size_t len) { - auto o = static_cast<size_t>(p - buf_); - return Verify(o, len); + bool VerifyFromPointer(const uint8_t *const p, const size_t len) { + return Verify(static_cast<size_t>(p - buf_), len); } // Verify relative to a known-good base pointer. - bool VerifyFieldStruct(const uint8_t *base, voffset_t elem_off, - size_t elem_len, size_t align) const { - auto f = static_cast<size_t>(base - buf_) + elem_off; + bool VerifyFieldStruct(const uint8_t *const base, const voffset_t elem_off, + const size_t elem_len, const size_t align) const { + const auto f = static_cast<size_t>(base - buf_) + elem_off; return VerifyAlignment(f, align) && Verify(f, elem_len); } template<typename T> - bool VerifyField(const uint8_t *base, voffset_t elem_off, - size_t align) const { - auto f = static_cast<size_t>(base - buf_) + elem_off; + bool VerifyField(const uint8_t *const base, const voffset_t elem_off, + const size_t align) const { + const auto f = static_cast<size_t>(base - buf_) + elem_off; return VerifyAlignment(f, align) && Verify(f, sizeof(T)); } // Verify a pointer (may be NULL) of a table type. - template<typename T> bool VerifyTable(const T *table) { + template<typename T> bool VerifyTable(const T *const table) { return !table || table->Verify(*this); } // Verify a pointer (may be NULL) of any vector type. - template<typename T> bool VerifyVector(const Vector<T> *vec) const { + template<typename T> bool VerifyVector(const Vector<T> *const vec) const { return !vec || VerifyVectorOrString(reinterpret_cast<const uint8_t *>(vec), sizeof(T)); } // Verify a pointer (may be NULL) of a vector to struct. - template<typename T> bool VerifyVector(const Vector<const T *> *vec) const { + template<typename T> + bool VerifyVector(const Vector<const T *> *const vec) const { return VerifyVector(reinterpret_cast<const Vector<T> *>(vec)); } // Verify a pointer (may be NULL) to string. - bool VerifyString(const String *str) const { + bool VerifyString(const String *const str) const { size_t end; return !str || (VerifyVectorOrString(reinterpret_cast<const uint8_t *>(str), 1, &end) && @@ -119,24 +121,24 @@ } // Common code between vectors and strings. - bool VerifyVectorOrString(const uint8_t *vec, size_t elem_size, - size_t *end = nullptr) const { - auto veco = static_cast<size_t>(vec - buf_); + bool VerifyVectorOrString(const uint8_t *const vec, const size_t elem_size, + size_t *const end = nullptr) const { + const auto veco = static_cast<size_t>(vec - buf_); // Check we can read the size field. if (!Verify<uoffset_t>(veco)) return false; // Check the whole array. If this is a string, the byte past the array // must be 0. - auto size = ReadScalar<uoffset_t>(vec); - auto max_elems = FLATBUFFERS_MAX_BUFFER_SIZE / elem_size; + const auto size = ReadScalar<uoffset_t>(vec); + const auto max_elems = FLATBUFFERS_MAX_BUFFER_SIZE / elem_size; if (!Check(size < max_elems)) return false; // Protect against byte_size overflowing. - auto byte_size = sizeof(size) + elem_size * size; + const auto byte_size = sizeof(size) + elem_size * size; if (end) *end = veco + byte_size; return Verify(veco, byte_size); } // Special case for string contents, after the above has been called. - bool VerifyVectorOfStrings(const Vector<Offset<String>> *vec) const { + bool VerifyVectorOfStrings(const Vector<Offset<String>> *const vec) const { if (vec) { for (uoffset_t i = 0; i < vec->size(); i++) { if (!VerifyString(vec->Get(i))) return false; @@ -146,7 +148,8 @@ } // Special case for table contents, after the above has been called. - template<typename T> bool VerifyVectorOfTables(const Vector<Offset<T>> *vec) { + template<typename T> + bool VerifyVectorOfTables(const Vector<Offset<T>> *const vec) { if (vec) { for (uoffset_t i = 0; i < vec->size(); i++) { if (!vec->Get(i)->Verify(*this)) return false; @@ -156,31 +159,34 @@ } __supress_ubsan__("unsigned-integer-overflow") bool VerifyTableStart( - const uint8_t *table) { + const uint8_t *const table) { // Check the vtable offset. - auto tableo = static_cast<size_t>(table - buf_); + const auto tableo = static_cast<size_t>(table - buf_); if (!Verify<soffset_t>(tableo)) return false; // This offset may be signed, but doing the subtraction unsigned always // gives the result we want. - auto vtableo = tableo - static_cast<size_t>(ReadScalar<soffset_t>(table)); + const auto vtableo = + tableo - static_cast<size_t>(ReadScalar<soffset_t>(table)); // Check the vtable size field, then check vtable fits in its entirety. - if (!( VerifyComplexity() && Verify<voffset_t>(vtableo) && - VerifyAlignment(ReadScalar<voffset_t>(buf_ + vtableo), - sizeof(voffset_t)))) return false; - auto vsize = ReadScalar<voffset_t>(buf_ + vtableo); + if (!(VerifyComplexity() && Verify<voffset_t>(vtableo) && + VerifyAlignment(ReadScalar<voffset_t>(buf_ + vtableo), + sizeof(voffset_t)))) + return false; + const auto vsize = ReadScalar<voffset_t>(buf_ + vtableo); return Check((vsize & 1) == 0) && Verify(vtableo, vsize); } template<typename T> - bool VerifyBufferFromStart(const char *identifier, size_t start) { + bool VerifyBufferFromStart(const char *const identifier, const size_t start) { if (identifier && !Check((size_ >= 2 * sizeof(flatbuffers::uoffset_t) && BufferHasIdentifier(buf_ + start, identifier)))) { return false; } // Call T::Verify, which must be in the generated code for this type. - auto o = VerifyOffset(start); - return o && reinterpret_cast<const T *>(buf_ + start + o)->Verify(*this) + const auto o = VerifyOffset(start); + return Check(o != 0) && + reinterpret_cast<const T *>(buf_ + start + o)->Verify(*this) // clang-format off #ifdef FLATBUFFERS_TRACK_VERIFIER_BUFFER_SIZE && GetComputedSize() @@ -190,8 +196,8 @@ } template<typename T> - bool VerifyNestedFlatBuffer(const Vector<uint8_t> *buf, - const char *identifier) { + bool VerifyNestedFlatBuffer(const Vector<uint8_t> *const buf, + const char *const identifier) { if (!buf) return true; Verifier nested_verifier(buf->data(), buf->size()); return nested_verifier.VerifyBuffer<T>(identifier); @@ -200,19 +206,20 @@ // Verify this whole buffer, starting with root type T. template<typename T> bool VerifyBuffer() { return VerifyBuffer<T>(nullptr); } - template<typename T> bool VerifyBuffer(const char *identifier) { + template<typename T> bool VerifyBuffer(const char *const identifier) { return VerifyBufferFromStart<T>(identifier, 0); } - template<typename T> bool VerifySizePrefixedBuffer(const char *identifier) { + template<typename T> + bool VerifySizePrefixedBuffer(const char *const identifier) { return Verify<uoffset_t>(0U) && - ReadScalar<uoffset_t>(buf_) == size_ - sizeof(uoffset_t) && + Check(ReadScalar<uoffset_t>(buf_) == size_ - sizeof(uoffset_t)) && VerifyBufferFromStart<T>(identifier, sizeof(uoffset_t)); } - uoffset_t VerifyOffset(size_t start) const { + uoffset_t VerifyOffset(const size_t start) const { if (!Verify<uoffset_t>(start)) return 0; - auto o = ReadScalar<uoffset_t>(buf_ + start); + const auto o = ReadScalar<uoffset_t>(buf_ + start); // May not point to itself. if (!Check(o != 0)) return 0; // Can't wrap around / buffers are max 2GB. @@ -223,7 +230,8 @@ return o; } - uoffset_t VerifyOffset(const uint8_t *base, voffset_t start) const { + uoffset_t VerifyOffset(const uint8_t *const base, + const voffset_t start) const { return VerifyOffset(static_cast<size_t>(base - buf_) + start); } @@ -262,19 +270,21 @@ std::vector<uint8_t> *GetFlexReuseTracker() { return flex_reuse_tracker_; } - void SetFlexReuseTracker(std::vector<uint8_t> *rt) { + void SetFlexReuseTracker(std::vector<uint8_t> *const rt) { flex_reuse_tracker_ = rt; } private: const uint8_t *buf_; - size_t size_; - uoffset_t depth_; - uoffset_t max_depth_; - uoffset_t num_tables_; - uoffset_t max_tables_; + const size_t size_; + const uoffset_t max_depth_; + const uoffset_t max_tables_; + const bool check_alignment_; + mutable size_t upper_bound_; - bool check_alignment_; + + uoffset_t depth_; + uoffset_t num_tables_; std::vector<uint8_t> *flex_reuse_tracker_; };