ll: fix oob read in parse_content_metadata() found by fuzz

pythcoiner · pythcoiner · commit e1d94caf4569 · 2025-10-15T08:36:08.000+02:00
diff --git a/src/ll.rs b/src/ll.rs
@@ -105,6 +105,9 @@ pub fn parse_content_metadata(bytes: &[u8]) -> Result<(usize, Content), Error> {
         0 => Ok((1, Content::None)),
         1 => Err(Error::ContentMetadata),
         2 => {
+            if bytes.len() < 3 {
+                return Err(Error::ContentMetadata);
+            }
             let bip_number = u16::from_be_bytes(bytes[1..3].try_into().expect("len ok"));
             match bip_number {
                 380 => Ok((3, Content::Bip380)),
@@ -114,7 +117,7 @@ pub fn parse_content_metadata(bytes: &[u8]) -> Result<(usize, Content), Error> {
             }
         }
         len => {
-            let end = (len + 1) as usize;
+            let end = (len as usize + 1).min(bytes.len());
             let data = &bytes[1..end].to_vec();
             Ok((end, Content::Proprietary(data.to_vec())))
         }

Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,9 @@ pub fn parse_content_metadata(bytes: &[u8]) -> Result<(usize, Content), Error> {`
`105`	`105`	`0 => Ok((1, Content::None)),`
`106`	`106`	`1 => Err(Error::ContentMetadata),`
`107`	`107`	`2 => {`
	`108`	`+ if bytes.len() < 3 {`
	`109`	`+ return Err(Error::ContentMetadata);`
	`110`	`+ }`
`108`	`111`	`let bip_number = u16::from_be_bytes(bytes[1..3].try_into().expect("len ok"));`
`109`	`112`	`match bip_number {`
`110`	`113`	`380 => Ok((3, Content::Bip380)),`
`@@ -114,7 +117,7 @@ pub fn parse_content_metadata(bytes: &[u8]) -> Result<(usize, Content), Error> {`
`114`	`117`	`}`
`115`	`118`	`}`
`116`	`119`	`len => {`
`117`		`- let end = (len + 1) as usize;`
	`120`	`+ let end = (len as usize + 1).min(bytes.len());`
`118`	`121`	`let data = &bytes[1..end].to_vec();`
`119`	`122`	`Ok((end, Content::Proprietary(data.to_vec())))`
`120`	`123`	`}`