From d90f50187289110d2005da327f05689a18f4898c Mon Sep 17 00:00:00 2001 From: poljar Date: Tue, 25 Jan 2022 17:49:26 +0100 Subject: [PATCH] Return an error if a decoded slice length doesn't fit into usize (#491) * Return an error if a decoded slice length doesn't fit into usize Bincode encodes a slice length, which is an usize, as an u64. When such an encoded slice length needs to be decoded it again uses an u64 but critically it truncates it into an usize. An usize is architecture dependent, it is the size how many bytes it takes to reference any location in memory. The most common sizes for an usize are 64, 32, and 16 bit. This might lead to silent data loss if the architecture that encoded the slice differs from the architecture that decoded the slice, i.e. if we go from a 64 bit architecture to a 32 or 16 bit one. Since bincode aims to be suitable for storage, aiming to support the exchange of data between different architectures silently truncating such slice lenghts should be avoided. This patch changes the behaviour to error out if we try to decode an slice lenght that can't fit into the current usize type. * Remove another two usize truncations * Rename the error variant if the usize doesn't fit anymore Co-authored-by: Trangar --- src/de/impls.rs | 9 +++++++-- src/de/mod.rs | 7 +++++-- src/error.rs | 8 ++++++++ 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/src/de/impls.rs b/src/de/impls.rs index b53e7ff..b7dfecc 100644 --- a/src/de/impls.rs +++ b/src/de/impls.rs @@ -172,10 +172,15 @@ impl Decode for usize { IntEncoding::Fixed => { let mut bytes = [0u8; 8]; decoder.reader().read(&mut bytes)?; - Ok(match D::C::ENDIAN { + + let value = match D::C::ENDIAN { Endian::Little => u64::from_le_bytes(bytes), Endian::Big => u64::from_be_bytes(bytes), - } as usize) + }; + + value + .try_into() + .map_err(|_| DecodeError::OutsideUsizeRange(value)) } } } diff --git a/src/de/mod.rs b/src/de/mod.rs index b107336..a25d372 100644 --- a/src/de/mod.rs +++ b/src/de/mod.rs @@ -149,7 +149,8 @@ pub trait Decoder: Sealed { /// # } /// impl Decode for Container { /// fn decode(decoder: &mut D) -> Result { - /// let len = u64::decode(decoder)? as usize; + /// let len = u64::decode(decoder)?; + /// let len: usize = len.try_into().map_err(|_| DecodeError::OutsideUsizeRange(len))?; /// // Make sure we don't allocate too much memory /// decoder.claim_bytes_read(len * core::mem::size_of::()); /// @@ -236,5 +237,7 @@ pub(crate) fn decode_option_variant( /// Decodes the length of any slice, container, etc from the decoder #[inline] pub(crate) fn decode_slice_len(decoder: &mut D) -> Result { - u64::decode(decoder).map(|v| v as usize) + let v = u64::decode(decoder)?; + + v.try_into().map_err(|_| DecodeError::OutsideUsizeRange(v)) } diff --git a/src/error.rs b/src/error.rs index 9262c41..17fee05 100644 --- a/src/error.rs +++ b/src/error.rs @@ -116,6 +116,14 @@ pub enum DecodeError { found: usize, }, + /// The encoded value is outside of the range of the target usize type. + /// + /// This can happen if an usize was encoded on an architecture with a larger + /// usize type and then decoded on an architecture with a smaller one. For + /// example going from a 64 bit architecture to a 32 or 16 bit one may + /// cause this error. + OutsideUsizeRange(u64), + /// Tried to decode an enum with no variants EmptyEnum { /// The type that was being decoded