gobspect/valuedecode_test.go at main · codepuke/gobspect · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package gobspect

import (
	"bytes"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

// TestDecodeStructValue_LargeDeltaNoPanic ensures that a crafted gob message
// with an overflowing field delta (max uint64, which wraps to -1 when cast to
// int) returns an error rather than panicking with a negative slice index.
//
// Without the guard added to decodeStructValue, the flow is:
//
//	delta = ^uint64(0)  →  int(delta) = -1  →  fieldIdx = -1 + (-1) = -2
//	def.Fields[-2]  → runtime panic: index out of range
func TestDecodeStructValue_LargeDeltaNoPanic(t *testing.T) {
	// Gob varint encoding of ^uint64(0):
	//   first byte 0xF8  →  -int(int8(0xF8)) = 8  →  read 8 more bytes
	//   8 × 0xFF  →  value = 0xFFFFFFFFFFFFFFFF = ^uint64(0)
	overflowDelta := []byte{0xF8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}

	def := &wireStructType{
		Common: wireCommonType{Name: "TestStruct"},
		Fields: []wireFieldType{
			{Name: "X", ID: 2}, // single int field
		},
	}

	ins := New()
	sd := newStreamDecoder(wrapWithLimit(bytes.NewReader(nil), 0))
	vd := newValueDecoder(ins, sd)
	mr := &messageReader{cur: bytes.NewReader(overflowDelta)}

	_, err := vd.decodeStructValue(65, def, mr)
	require.Error(t, err, "expected an error, not a panic")
	assert.Contains(t, err.Error(), "out of range")
}

// TestDecodeStructValue_DeltaExactlyLenFields ensures a delta equal to the
// field count (one past the last valid index) is also rejected cleanly.
func TestDecodeStructValue_DeltaEqualToFieldCount_Error(t *testing.T) {
	// struct with 2 fields; delta=2 from fieldIdx=-1 → fieldIdx=1 which is
	// valid (field index 1 of 0..1). Delta=3 → fieldIdx=2 → out of range.
	//
	// Here we test delta == len(Fields) == 2, which is rejected before the int
	// cast by the new guard (delta > uint64(len(def.Fields))).
	def := &wireStructType{
		Common: wireCommonType{Name: "TwoFields"},
		Fields: []wireFieldType{
			{Name: "A", ID: 2},
			{Name: "B", ID: 2},
		},
	}
	// Encode delta=3 as a single-byte gob uint (3 < 128).
	deltaBytes := []byte{3} // delta=3 > len(Fields)=2 → rejected

	ins := New()
	sd := newStreamDecoder(wrapWithLimit(bytes.NewReader(nil), 0))
	vd := newValueDecoder(ins, sd)
	mr := &messageReader{cur: bytes.NewReader(deltaBytes)}

	_, err := vd.decodeStructValue(65, def, mr)
	require.Error(t, err)
	assert.Contains(t, err.Error(), "out of range")
}