commit 485044b19c85e4c50df34fd508d49838c0f5ee67
author Kasun Athukorala <kasunath@google.com> Tue Jul 15 00:59:36 2025 +0000
committer Kasun Athukorala <kasunath@google.com> Tue Jul 15 04:36:57 2025 +0000
tree 959485515d57dc540d3f35a2e8df7b7aede4c7f9
parent 9eb0117f0f5e5ed8ffe82d51f70d7af3b9baf6a0

bej_decoder: Check decoded string length

We need to check the bejString value lengths to prevent heap
buffer overflow

Tested:
Unit tested

Change-Id: Ie6a014fbffeb31f111bfbae331db197b3fb2f2ca
Signed-off-by: Kasun Athukorala <kasunath@google.com>

src/bej_decoder_core.c

diff --git a/src/bej_decoder_core.c b/src/bej_decoder_core.c
index e240d99..2536ed1 100644
--- a/src/bej_decoder_core.c
+++ b/src/bej_decoder_core.c
@@ -546,9 +546,10 @@
     }
     else
     {
-        RETURN_IF_CALLBACK_IERROR(params->decodedCallback->callbackString,
-                                  propName, (const char*)(params->sflv.value),
-                                  params->callbacksDataPtr);
+        RETURN_IF_CALLBACK_IERROR(
+            params->decodedCallback->callbackString, propName,
+            (const char*)(params->sflv.value), params->sflv.valueLength,
+            params->callbacksDataPtr);
     }
     params->state.encodedStreamOffset = params->sflv.valueEndOffset;
     return bejProcessEnding(params, /*canBeEmpty=*/false);

src/bej_decoder_json.cpp

diff --git a/src/bej_decoder_json.cpp b/src/bej_decoder_json.cpp
index 9fceeba..95e241f 100644
--- a/src/bej_decoder_json.cpp
+++ b/src/bej_decoder_json.cpp
@@ -1,5 +1,9 @@
 #include "bej_decoder_json.hpp"
 
+#include <string.h>
+
+#define MAX_BEJ_STRING_LEN 65536
+
 namespace libbej
 {
 
@@ -172,17 +176,29 @@
  *
  * @param[in] propertyName - a NULL terminated string.
  * @param[in] value - a NULL terminated string.
+ * @param[in] length - length of the string.
  * @param[in] dataPtr - pointing to a valid BejJsonParam struct.
  * @return 0 if successful.
  */
 static int callbackString(const char* propertyName, const char* value,
-                          void* dataPtr)
+                          size_t length, void* dataPtr)
 {
+    if ((length > MAX_BEJ_STRING_LEN) ||
+        (strnlen(value, length) != (length - 1)))
+    {
+        fprintf(stderr,
+                "Incorrect BEJ string length %zu or it exceeds maximum %u.\n",
+                (length - 1), MAX_BEJ_STRING_LEN);
+        return bejErrorInvalidSize;
+    }
     struct BejJsonParam* params =
         reinterpret_cast<struct BejJsonParam*>(dataPtr);
     addPropertyNameToOutput(params, propertyName);
     params->output->push_back('\"');
-    params->output->append(value);
+    if (length > 0)
+    {
+        params->output->append(value, length - 1);
+    }
     params->output->push_back('\"');
     *params->isPrevAnnotated = false;
     return 0;