zen - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Stefan Boberg <[email protected]>	2026-03-20 19:23:27 +0100
committer	Stefan Boberg <[email protected]>	2026-03-20 19:23:27 +0100
commit	712d235ba24a3c65bba1ef3ee6b6f10f08c96cb2 (patch)
tree	7982f16f53120af656d82401514964838307b613 /src/zenhttp/httpserver.cpp
parent	Validate attachment hashes in compute HTTP handlers (diff)
download	zen-712d235ba24a3c65bba1ef3ee6b6f10f08c96cb2.tar.xz zen-712d235ba24a3c65bba1ef3ee6b6f10f08c96cb2.zip

Harden CbPackage parsing against corrupt inputs

- Add ValidatePackageHeader helper to validate magic and guard against AttachmentCount overflow (UINT32_MAX + 1 wrapping to 0) - Add ValidateLocalRef helper to validate local-ref header and path length fit within the attachment buffer - Add bounds check for PayloadByteOffset/PayloadByteSize against file size before constructing sub-buffer in ParsePackageMessage - Widen attachment table size multiplication to uint64_t to prevent 32-bit wrap - Replace ZEN_ASSERTs on untrusted wire data with proper error reporting in both ParsePackageMessage and CbPackageReader

Diffstat (limited to 'src/zenhttp/httpserver.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: