Verify stream size before allocating string / bytes. This stops ridicuously large mallocs from getting through on length-limited streams or buffers. Typically you should also override realloc() to limit allocation size yourself if dealing with untrusted data in pointer mode, but this at least limits the potential denial-of-service attacks.

commit: 2519119babea9e16ce5b14af50f87b4707865e8d [log] [tgz]
author: Petteri Aimonen <jpa@git.mail.kapsi.fi> Mon Jan 20 19:49:44 2020 +0200
committer: Petteri Aimonen <jpa@git.mail.kapsi.fi> Mon Jan 20 19:59:13 2020 +0200
tree: 2c1384b4b5eb366570df2a4db9de2bc7653f8dcf
parent: e397e3efacaeab1bc6cacc0dfdc259768aebfd8e [diff]
diff --git a/pb_decode.c b/pb_decode.c
index e2574d7..5085d20 100644
--- a/pb_decode.c
+++ b/pb_decode.c

@@ -1522,6 +1522,9 @@
 #ifndef PB_ENABLE_MALLOC
         PB_RETURN_ERROR(stream, "no malloc support");
 #else
+        if (stream->bytes_left < size)
+            PB_RETURN_ERROR(stream, "end-of-stream");
+
         if (!allocate_field(stream, field->pData, alloc_size, 1))
             return false;
         dest = *(pb_bytes_array_t**)field->pData;
@@ -1561,6 +1564,9 @@
 #ifndef PB_ENABLE_MALLOC
         PB_RETURN_ERROR(stream, "no malloc support");
 #else
+        if (stream->bytes_left < size)
+            PB_RETURN_ERROR(stream, "end-of-stream");
+
         if (!allocate_field(stream, field->pData, alloc_size, 1))
             return false;
         dest = *(pb_byte_t**)field->pData;
commit	2519119babea9e16ce5b14af50f87b4707865e8d	[log] [tgz]
author	Petteri Aimonen <jpa@git.mail.kapsi.fi>	Mon Jan 20 19:49:44 2020 +0200
committer	Petteri Aimonen <jpa@git.mail.kapsi.fi>	Mon Jan 20 19:59:13 2020 +0200
tree	2c1384b4b5eb366570df2a4db9de2bc7653f8dcf
parent	e397e3efacaeab1bc6cacc0dfdc259768aebfd8e [diff]