[erlang-bugs] asn.1 - decoding corrupted binary

bruce green <>
Tue Sep 2 19:01:17 CEST 2008


There is an infinite loop during corrupted binary decoding.

Example:

Rec3 DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS Rec3;
Rec3 ::= SET
{
recType [0] RecType,
typedItem [1] TypedItem OPTIONAL
}
RecType ::= INTEGER
{
rec4 (0),
rec5 (1)
}
TypedItem ::= OCTET STRING (SIZE(1..20))
END

the record:
#'Rec3'{recType=rec5,typedItem=[16#12,16#34,16#56,16#78,16#40,16#90,16#19,16#33]}

the encoded binary:
31 0D 80 01 01 81 08 12 34 56 78 40 90 19 33

the modified (=corrupted) binary:
31 0D 80 01 01 00 00 00 00 00 00 00 00 00 00

Now I try to decode the corrupted binary and the program goes to the
infinite loop.

The suspected code in the generated erl module:
'dec_Rec3_fun'(Bytes, OptOrMand) ->
...
%% tag not found, if extensionmark we should skip bytes here
_ -> {[], Bytes,0}

Tested on: R11B3 (asn1 - 1.4.4.11), R12B3 (asn1 - 1.5.2)



More information about the erlang-bugs mailing list