Merge pull request #763

bunty95 · web-flow · commit 46bdde97c38e · 2026-02-12T14:51:55.000-05:00
fix crash in 2.28.0 due to buffer overflow
diff --git a/qdlt/qdltctrlmsg.cpp b/qdlt/qdltctrlmsg.cpp
@@ -2,6 +2,7 @@
 
 #include "dlt_common.h"
 
+#include <exception>
 #include <stdexcept>
 #include <cstring>
 #include <array>
@@ -24,7 +25,7 @@ QString asQString(IdType&& id) {
 template <typename T>
 T dltPayloadRead(const char *&dataPtr, int32_t &length, bool isBigEndian)
 {
-    if (sizeof(T) > static_cast<uint32_t>(length)) {
+    if (length < 0 || length < static_cast<int32_t>(sizeof(T))) {
         throw std::runtime_error("Invalid data length");
     }
 
@@ -46,7 +47,7 @@ T dltPayloadRead(const char *&dataPtr, int32_t &length, bool isBigEndian)
 
 IdType dltPayloadReadId(const char *&dataPtr, int32_t &length)
 {
-    if (DLT_ID_SIZE > length) {
+    if (length < 0 || length < DLT_ID_SIZE) {
         throw std::runtime_error("Invalid ID length");
     }
     IdType id{};
@@ -60,7 +61,7 @@ IdType dltPayloadReadId(const char *&dataPtr, int32_t &length)
 std::string dltPayloadReadString(const char *&dataPtr, int32_t &length, bool isBigEndian)
 {
     uint16_t strLength = dltPayloadRead<uint16_t>(dataPtr, length, isBigEndian);
-    if (strLength > length) {
+    if (length < 0 || strLength > length) {
         throw std::runtime_error(QString("Invalid string length %1 > %2").arg(strLength).arg(length).toStdString());
     }
     std::string str;
@@ -76,9 +77,11 @@ Type parse(const QByteArray& data, bool isBigEndian)
 {
     int32_t length = data.length();
     const char *dataPtr = data.data();
+    uint32_t serviceId = 0;
 
-    auto serviceId = dltPayloadRead<uint32_t>(dataPtr, length, isBigEndian);
-    switch (serviceId) {
+    try {
+        serviceId = dltPayloadRead<uint32_t>(dataPtr, length, isBigEndian);
+        switch (serviceId) {
         case DLT_SERVICE_ID_GET_LOG_INFO:
         {
             GetLogInfo msg;
@@ -140,9 +143,14 @@ Type parse(const QByteArray& data, bool isBigEndian)
             msg.ctxid = asQString(dltPayloadReadId(dataPtr, length));
             return msg;
         }
-    }
+        }
 
-    return Uninteresting{serviceId};
+        return Uninteresting{serviceId, false};
+    } catch (const std::exception&) {
+        return Uninteresting{serviceId, true};
+    } catch (...) {
+        return Uninteresting{serviceId, true};
+    }
 }
 
 }
diff --git a/qdlt/qdltctrlmsg.h b/qdlt/qdltctrlmsg.h
@@ -57,6 +57,7 @@ struct UnregisterContext {
 
 struct Uninteresting {
     uint32_t serviceId;
+    bool parseError = false;
 };
 
 using Type = std::variant<GetLogInfo, GetSoftwareVersion, GetDefaultLogLevel, SetLogLevel, Timezone,

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`#include "dlt_common.h"`
`4`	`4`
	`5`	`+#include <exception>`
`5`	`6`	`#include <stdexcept>`
`6`	`7`	`#include <cstring>`
`7`	`8`	`#include <array>`
`@@ -24,7 +25,7 @@ QString asQString(IdType&& id) {`
`24`	`25`	`template <typename T>`
`25`	`26`	`T dltPayloadRead(const char *&dataPtr, int32_t &length, bool isBigEndian)`
`26`	`27`	`{`
`27`		`- if (sizeof(T) > static_cast<uint32_t>(length)) {`
	`28`	`+ if (length < 0 \|\| length < static_cast<int32_t>(sizeof(T))) {`
`28`	`29`	`throw std::runtime_error("Invalid data length");`
`29`	`30`	`}`
`30`	`31`
`@@ -46,7 +47,7 @@ T dltPayloadRead(const char *&dataPtr, int32_t &length, bool isBigEndian)`
`46`	`47`
`47`	`48`	`IdType dltPayloadReadId(const char *&dataPtr, int32_t &length)`
`48`	`49`	`{`
`49`		`- if (DLT_ID_SIZE > length) {`
	`50`	`+ if (length < 0 \|\| length < DLT_ID_SIZE) {`
`50`	`51`	`throw std::runtime_error("Invalid ID length");`
`51`	`52`	`}`
`52`	`53`	`IdType id{};`
`@@ -60,7 +61,7 @@ IdType dltPayloadReadId(const char *&dataPtr, int32_t &length)`
`60`	`61`	`std::string dltPayloadReadString(const char *&dataPtr, int32_t &length, bool isBigEndian)`
`61`	`62`	`{`
`62`	`63`	`uint16_t strLength = dltPayloadRead<uint16_t>(dataPtr, length, isBigEndian);`
`63`		`- if (strLength > length) {`
	`64`	`+ if (length < 0 \|\| strLength > length) {`
`64`	`65`	`throw std::runtime_error(QString("Invalid string length %1 > %2").arg(strLength).arg(length).toStdString());`
`65`	`66`	`}`
`66`	`67`	`std::string str;`
`@@ -76,9 +77,11 @@ Type parse(const QByteArray& data, bool isBigEndian)`
`76`	`77`	`{`
`77`	`78`	`int32_t length = data.length();`
`78`	`79`	`const char *dataPtr = data.data();`
	`80`	`+ uint32_t serviceId = 0;`
`79`	`81`
`80`		`- auto serviceId = dltPayloadRead<uint32_t>(dataPtr, length, isBigEndian);`
`81`		`- switch (serviceId) {`
	`82`	`+ try {`
	`83`	`+ serviceId = dltPayloadRead<uint32_t>(dataPtr, length, isBigEndian);`
	`84`	`+ switch (serviceId) {`
`82`	`85`	`case DLT_SERVICE_ID_GET_LOG_INFO:`
`83`	`86`	`{`
`84`	`87`	`GetLogInfo msg;`
`@@ -140,9 +143,14 @@ Type parse(const QByteArray& data, bool isBigEndian)`
`140`	`143`	`msg.ctxid = asQString(dltPayloadReadId(dataPtr, length));`
`141`	`144`	`return msg;`
`142`	`145`	`}`
`143`		`- }`
	`146`	`+ }`
`144`	`147`
`145`		`- return Uninteresting{serviceId};`
	`148`	`+ return Uninteresting{serviceId, false};`
	`149`	`+ } catch (const std::exception&) {`
	`150`	`+ return Uninteresting{serviceId, true};`
	`151`	`+ } catch (...) {`
	`152`	`+ return Uninteresting{serviceId, true};`
	`153`	`+ }`
`146`	`154`	`}`
`147`	`155`
`148`	`156`	`}`