msgpack_unpack_init() overruns for small messages #3
Description
Using msgpack_unpack_init() for a buffer smaller than 16 bytes has a couple of
problems.
- It always reads at least 16 bytes from 'data', even if n<16, which could
cause a segv if the placement of the source buffer is unfortunate.
- It always sets m->end to at least 16 bytes past m->p, which means that later
calls to msgpack_unpack_len() do not return the expected value. (In my case,
I'm checking for unexpected extra data in the buffer by testing whether
msgpack_unpack_len()==0 after I've unpacked everything I expect; for short
messages, this test spuriously fails.)
I think the right fix is just to remove the line "if ( n < 16 ) n = 16;" from
the function, which looks like a copy-and-paste-o from msgpack_pack_init() ---
I can't see any benefit to having it in the unpack function.
This is in msgpackalt-0.5.
Original issue reported on code.google.com by wiml@omnigroup.com on 26 Nov 2013 at 1:46