fuzzing: fixed calculation of serializedSize() in features.go

This commit fixes an incorrectly calculated size of a
*FeatureVector in the serializedSize() function. go-fuzz
found that when calling NewFeatureVectorFromReader, if
a flag is invalid, it is not added to f.flags. However,
it will skip the index that wasn't included. This
becomes a problem when serializedSize() calculates the
length of f.flags via len() which can lead to an index
out of range since certain flags may be missing.
This commit is contained in:
nsa 2017-09-15 13:04:46 -04:00 committed by Olaoluwa Osuntokun
parent 7662ea5d4d
commit d65f17f1b1

@ -113,7 +113,19 @@ func (f *FeatureVector) SetFeatureFlag(name featureName, flag featureFlag) error
// serializedSize returns the number of bytes which is needed to represent
// feature vector in byte format.
func (f *FeatureVector) serializedSize() uint16 {
return uint16(math.Ceil(float64(flagBitsSize*len(f.flags)) / 8))
// Find the largest index in f.flags
max := -1
for index := range f.flags {
if index > max {
max = index
}
}
if max == -1 {
return 0
}
// We calculate length via the largest index in f.flags so as to not
// get an index out of bounds in Encode's setFlag function.
return uint16(math.Ceil(float64(flagBitsSize*(max+1)) / 8))
}
// NewFeatureVectorFromReader decodes the feature vector from binary