fix(合并mqtt序列化库): Fix potential overwrites eclipse-paho/paho.mqtt.embe…

…dded-c#242
Ryan-CW-Code · Jun 4, 2024 · db4ae9b · db4ae9b
1 parent 72a4363
commit db4ae9b
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/pahoMqtt/MQTTSubscribeServer.c b/pahoMqtt/MQTTSubscribeServer.c
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2014 IBM Corp.
+ * Copyright (c) 2014, 2023 IBM Corp., Ian Craggs
  *
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
@@ -38,7 +38,7 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int
 	MQTTHeader header = {0};
 	unsigned char* curdata = buf;
 	unsigned char* enddata = NULL;
-	int rc = -1;
+	int rc = MQTTPACKET_READ_ERROR;
 	int mylen = 0;
 
 	FUNC_ENTRY;
@@ -47,14 +47,20 @@ int MQTTDeserialize_subscribe(unsigned char* dup, unsigned short* packetid, int
 		goto exit;
 	*dup = header.bits.dup;
 
-	curdata += (rc = MQTTPacket_decodeBuf(curdata, &mylen)); /* read remaining length */
+	rc = MQTTPacket_decodeBuf(curdata, &mylen); /* read remaining length */
+	if (rc <= 0)
+		goto exit;
+	curdata += rc;
+	rc = MQTTPACKET_READ_ERROR;
 	enddata = curdata + mylen;
 
 	*packetid = readInt(&curdata);
 
 	*count = 0;
 	while (curdata < enddata)
 	{
+		if (*count == maxcount)
+			goto exit;
 		if (!readMQTTLenString(&topicFilters[*count], &curdata, enddata))
 			goto exit;
 		if (curdata >= enddata) /* do we have enough data to read the req_qos version byte? */
@@ -109,4 +115,3 @@ int MQTTSerialize_suback(unsigned char* buf, int buflen, unsigned short packetid
 	return rc;
 }
 
-