Merge pull request #576 from bytecodesky/fix-integer-overflow-ints_utils.cpp

Fix: prevent integer overflow in events_ints_print bounds check

Author: biojppm

changelog/current.md

@@ -56,6 +56,7 @@
   ---
   more data here
   ```
+- [PR#576](https://github.com/biojppm/rapidyaml/pull/576) - `extra::events_ints_print()`: Prevent integer overflow in bounds check (thanks @bytecodesky).
 
 
 ### JSON emitting changes
@@ -98,3 +99,8 @@
 - [PR#565](https://github.com/biojppm/rapidyaml/pull/565) (fixes [#564](https://github.com/biojppm/rapidyaml/issues/564)) - `Tree` arena: allow relocation of zero-length strings when placed at the end (relax assertions triggered in `Tree::_relocated()`)
 - [PR#563](https://github.com/biojppm/rapidyaml/pull/563) (fixes [#562](https://github.com/biojppm/rapidyaml/issues/562)) - Fix bug in `NodeRef::cend()`
 - [PR#568](https://github.com/biojppm/rapidyaml/pull/568) - Move `escape_scalar()` from `c4/yml/extra/scalar.hpp` to `c4/yml/escape_scalar.hpp` (and removed the original header)
+
+
+### Thanks
+
+- @bytecodesky

src_extra/c4/yml/extra/event_handler_ints.hpp

@@ -204,9 +204,9 @@ struct EventHandlerIntsState : public c4::yml::ParserState
  *   BDOC,                        // begin doc
  *   VAL_|BSEQ|FLOW,              // begin seq as val, flow
  *   VAL_|SCLR|PLAI,      1, 1,   // val scalar, plain style: "a"   starts at offset 1 and has length 1
- *   VAL_|SCLR|PLAI|PSTR, 4, 2,   // val scalar, plain style: "bb"  starts at offset 4 and has length 2
- *   VAL_|SCLR|PLAI|PSTR, 8, 3,   // val scalar, plain style: "ccc" starts at offset 8 and has length 3
- *   ESEQ|PSTR,                   // end seq
+ *   VAL_|SCLR|PLAI|PSTR, 4, 2,   // val scalar, plain style: "bb"  starts at offset 4 and has length 2; preceded by a string event (PSTR)
+ *   VAL_|SCLR|PLAI|PSTR, 8, 3,   // val scalar, plain style: "ccc" starts at offset 8 and has length 3; preceded by a string event (PSTR)
+ *   ESEQ|PSTR,                   // end seq; preceded by a string event (PSTR)
  *   EDOC,                        // end doc
  *   ESTR,                        // end stream
  * };
@@ -239,7 +239,7 @@ i      :        6              |     7  8              9              |     10 1
                                |                                      |
                                prev event has string                  prev event has string
                                (to get to prev, jump                  (to get to prev, jump
-                               back 3: ie 6->3)                       back 3: ie 9->6)
+                               back 3 slots: ie 6->3)                 back 3 slots: ie 9->6)
 
 
 
@@ -251,7 +251,7 @@ i      :        12   |        13       14
                      |
                      prev event has string
                      (to get to it, jump
-                     back 3: ie 12->9)
+                     back 3 slots: ie 12->9)
 @endcode
  *
  * Note that the buffer contains both events and strings encoded as
@@ -405,7 +405,7 @@ i      :        12   |        13       14
  *
  * ```c++
  * const std::string src = ...;  // the YAML code to be parsed
- * std::string parsed_src = src; // this is where we will parse (filter during parsring)
+ * std::string parsed_src = src; // this is where we will parse (filter during parsing)
  * std::vector<int> evts((size_t)estimated_size); // ensure we have a fighting change to acommodate the events
  * std::vector<char> arena(src.size()); // ensure we have a fighting change to acommodate the events
  * ParseEngine<extra::EventHandlerInts> parser(&handler);

src_extra/c4/yml/extra/ints_utils.cpp

@@ -109,7 +109,7 @@ void events_ints_print(csubstr parsed_yaml, csubstr arena, ievt::DataType const*
             bool safe = (evts[evtpos + 1] >= 0)
                 && (evts[evtpos + 2] >= 0)
                 && (evts[evtpos + 1] <= (int)region.len)
-                && ((evts[evtpos + 1] + evts[evtpos + 2]) <= (int)region.len);
+		&& (evts[evtpos + 2] <= ((int)region.len - evts[evtpos + 1]));
             const char *str = safe ? (region.str + evts[evtpos + 1]) : "ERR!!!";
             int len = safe ? evts[evtpos + 2] : 6;
             printf(": %d [%d]~~~%.*s~~~", evts[evtpos+1], evts[evtpos+2], len, str);