From 4d4dfb621e434b8e71acbb397a6b67f8d5fb436c Mon Sep 17 00:00:00 2001
From: NikVolf <nikvolf@gmail.com>
Date: Wed, 7 Mar 2018 13:37:14 +0300
Subject: [PATCH] validate trailing byte for i64

---
 res/cases/v1/err-leb-i64-too-long.wasm | Bin 0 -> 36 bytes
 src/elements/primitives.rs             |  10 ++++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 res/cases/v1/err-leb-i64-too-long.wasm

diff --git a/res/cases/v1/err-leb-i64-too-long.wasm b/res/cases/v1/err-leb-i64-too-long.wasm
new file mode 100644
index 0000000000000000000000000000000000000000..efe9894175b345ad32bee1c24ad8c419716fdcfd
GIT binary patch
literal 36
kcmZQbEY4+QU|?WmVN76PU}j=u;1XcuV{mGKfqW@$0AT0`E&u=k

literal 0
HcmV?d00001

diff --git a/src/elements/primitives.rs b/src/elements/primitives.rs
index 9522f51..375f7cd 100644
--- a/src/elements/primitives.rs
+++ b/src/elements/primitives.rs
@@ -40,6 +40,8 @@ impl Deserialize for VarUint32 {
 		let mut shift = 0;
 		let mut u8buf = [0u8; 1];
 		loop {
+			if shift > 31 { return Err(Error::InvalidVarUint32); }
+
 			reader.read_exact(&mut u8buf)?;
 			let b = u8buf[0] as u32;
 			res |= (b & 0x7f).checked_shl(shift).ok_or(Error::InvalidVarUint32)?;
@@ -91,6 +93,8 @@ impl Deserialize for VarUint64 {
 		let mut shift = 0;
 		let mut u8buf = [0u8; 1];
 		loop {
+			if shift > 63 { return Err(Error::InvalidVarUint64); }
+
 			reader.read_exact(&mut u8buf)?;
 			let b = u8buf[0] as u64;
 			res |= (b & 0x7f).checked_shl(shift).ok_or(Error::InvalidVarUint64)?;
@@ -349,6 +353,12 @@ impl Deserialize for VarInt64 {
 			if (b >> 7) == 0 {
 				if shift < 64 && b & 0b0100_0000 == 0b0100_0000 {
 					res |= (1i64 << shift).wrapping_neg();
+				} else if shift >= 64 && b & 0b0100_0000 == 0b0100_0000 {
+					if (b | 0b1000_0000) as i8 != -1 {
+						return Err(Error::InvalidVarInt64);
+					}
+				} else if shift >= 64 && b != 0 {
+					return Err(Error::InvalidVarInt64);
 				}
 				break;
 			}