Google Git
Sign in
pigweed/third_party/github/protocolbuffers/protobuf/62e07e367a995947a244f443190ecf9566894788^!/.
commit
62e07e367a995947a244f443190ecf9566894788
[log]
author
Joshua Haberman <haberman@google.com>
Fri Jun 28 13:56:49 2024 -0700
committer
Copybara-Service <copybara-worker@google.com>
Fri Jun 28 14:08:16 2024 -0700
tree
5a14fd326c8ff0e1cae0b1316d6983e12c9863cc
parent
32bedd9b8a794231ca43d6457bb6b8cd3503fca7 [diff]
Fixed a fuzz bug when a negative oneof_index is provided.

PiperOrigin-RevId: 647789835

diff --git a/upb/reflection/field_def.c b/upb/reflection/field_def.c
index c18f621..9f2775b 100644
--- a/upb/reflection/field_def.c
+++ b/upb/reflection/field_def.c

@@ -648,7 +648,7 @@
                            f->full_name);
     }
 
-    if (oneof_index >= upb_MessageDef_OneofCount(m)) {
+    if (oneof_index < 0 || oneof_index >= upb_MessageDef_OneofCount(m)) {
       _upb_DefBuilder_Errf(ctx, "oneof_index out of range (%s)", f->full_name);
     }
 

diff --git a/upb/util/def_to_proto_test.cc b/upb/util/def_to_proto_test.cc
index 0c7b203..e14b8c4 100644
--- a/upb/util/def_to_proto_test.cc
+++ b/upb/util/def_to_proto_test.cc

@@ -333,4 +333,15 @@
            })pb"));
 }
 
+TEST(FuzzTest, NegativeOneofIndex) {
+  RoundTripDescriptor(ParseTextProtoOrDie(
+      R"pb(file {
+             message_type {
+               name: "A"
+               field { name: "A" number: 0 type_name: "" oneof_index: -1 }
+             }
+           }
+      )pb"));
+}
+
 }  // namespace upb_test