Fix possible crash when reading corrupt file

Summary: As reported by lionhead, a corrupt vrs file could cause a crash. Adding a simple sanity check. Reviewed By: hanghu Differential Revision: D66209820 fbshipit-source-id: 6e1f61765244f7144d3e77e21e2ff1c6b249b298
facebookresearch · Nov 20, 2024 · c3be764 · c3be764
1 parent 9441fb8
commit c3be764
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/vrs/ContentBlockReader.cpp b/vrs/ContentBlockReader.cpp
@@ -439,15 +439,23 @@ bool DataLayoutBlockReader::readBlock(
   // The size of the variable size buffer can be read from the var size index, so we read
   // the fixed size buffer first, extract the size of the var size data from the var size index,
   // so we can then read the var size buffer...
+  const size_t kMaxDataSize = 1024 * 1024 * 1024; // 1GB
   DataLayout& layout = *blockLayout_;
   vector<int8_t>& fixedData = layout.getFixedData();
-  fixedData.resize(layout.getFixedDataSizeNeeded());
+  size_t fixedDataSize = layout.getFixedDataSizeNeeded();
+  if (!XR_VERIFY(fixedDataSize <= kMaxDataSize)) {
+    return false;
+  }
+  fixedData.resize(fixedDataSize);
   vector<int8_t>& varData = layout.getVarData();
   int readBlockStatus = record.reader->read(fixedData);
   if (readBlockStatus == 0) {
-    size_t varLength = layout.getVarDataSizeFromIndex();
-    varData.resize(varLength);
-    if (varLength > 0) {
+    size_t varDataSize = layout.getVarDataSizeFromIndex();
+    if (!XR_VERIFY(varDataSize <= kMaxDataSize)) {
+      return false;
+    }
+    varData.resize(varDataSize);
+    if (varDataSize > 0) {
       readBlockStatus = record.reader->read(varData);
     }
   } else {