[erlang-bugs] asn.1 - decoding corrupted binary
bruce green
bgreence@REDACTED
Tue Sep 2 19:01:17 CEST 2008
There is an infinite loop during corrupted binary decoding.
Example:
Rec3 DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS Rec3;
Rec3 ::= SET
{
recType [0] RecType,
typedItem [1] TypedItem OPTIONAL
}
RecType ::= INTEGER
{
rec4 (0),
rec5 (1)
}
TypedItem ::= OCTET STRING (SIZE(1..20))
END
the record:
#'Rec3'{recType=rec5,typedItem=[16#12,16#34,16#56,16#78,16#40,16#90,16#19,16#33]}
the encoded binary:
31 0D 80 01 01 81 08 12 34 56 78 40 90 19 33
the modified (=corrupted) binary:
31 0D 80 01 01 00 00 00 00 00 00 00 00 00 00
Now I try to decode the corrupted binary and the program goes to the
infinite loop.
The suspected code in the generated erl module:
'dec_Rec3_fun'(Bytes, OptOrMand) ->
...
%% tag not found, if extensionmark we should skip bytes here
_ -> {[], Bytes,0}
Tested on: R11B3 (asn1 - 1.4.4.11), R12B3 (asn1 - 1.5.2)
More information about the erlang-bugs
mailing list