Fix potential overflow in deserialization of Bitmap

RoaringBitmap · Apr 8, 2024 · 47eba81 · 47eba81
1 parent 946bbfd
commit 47eba81
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/src/bitmap/serialization.rs b/src/bitmap/serialization.rs
@@ -226,9 +226,11 @@ impl RoaringBitmap {
 
                 let cardinality = intervals.iter().map(|[_, len]| *len as usize).sum();
                 let mut store = Store::with_capacity(cardinality);
-                intervals.into_iter().for_each(|[s, len]| {
-                    store.insert_range(RangeInclusive::new(s, s + len));
-                });
+                intervals.into_iter().try_for_each(|[s, len]| -> Result<(), io::ErrorKind> {
+                    let end = s.checked_add(len).ok_or(io::ErrorKind::InvalidData)?;
+                    store.insert_range(RangeInclusive::new(s, end));
+                    Ok(())
+                })?;
                 store
             } else if cardinality <= ARRAY_LIMIT {
                 let mut values = vec![0; cardinality as usize];
@@ -267,4 +269,11 @@ mod test {
             prop_assert_eq!(bitmap, RoaringBitmap::deserialize_from(buffer.as_slice()).unwrap());
         }
     }
+
+    #[test]
+    fn test_deserialize_overflow_s_plus_len() {
+        let data = vec![59, 48, 0, 0, 255, 130, 254, 59, 48, 2, 0, 41, 255, 255, 166, 197, 4, 0, 2];
+        let res = RoaringBitmap::deserialize_from(data.as_slice());
+        assert!(res.is_err());
+    }
 }