Fixed a bug in MiniTable construction for extensions. #fuzzing

We were failing to assign the f->presence field, which resulted in a read of uninitialized memory. PiperOrigin-RevId: 462138061
protocolbuffers · Jul 20, 2022 · fcb5ef3 · fcb5ef3
1 parent ececc21
commit fcb5ef3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/upb/mini_table.c b/upb/mini_table.c
@@ -1119,6 +1119,7 @@ const char* upb_MiniTable_BuildExtension(const char* data, size_t len,
       upb_MtDecoder_Parse(&decoder, data, len, ext, sizeof(*ext), &count, NULL);
   ext->field.mode |= kUpb_LabelFlags_IsExtension;
   ext->field.offset = 0;
+  ext->field.presence = 0;
   return ret;
 }
 

diff --git a/upb/msg_test.cc b/upb/msg_test.cc
@@ -515,7 +515,7 @@ TEST(MessageTest, MapField) {
 // }
 // FUZZ_TEST(FuzzTest, DecodeEncodeArbitrarySchemaAndPayload);
 //
-// TEST(FuzzTest, DecodeEncodeArbitrarySchemaAndPayloadRegression) {
+// TEST(FuzzTest, DecodeUnknownProto2EnumExtension) {
 //   DecodeEncodeArbitrarySchemaAndPayload(
 //       {{"\256\354Rt\216\3271\234", "\243\243\267\207\336gV\366w"},
 //        {"z"},
@@ -525,4 +525,13 @@ TEST(MessageTest, MapField) {
 //       "\010", -724543908, -591643538);
 // }
 //
+// TEST(FuzzTest, DecodeExtensionEnsurePresenceInitialized) {
+//   DecodeEncodeArbitrarySchemaAndPayload(
+//       {{"\031", "S", "\364", "", "", "j", "\303", "", "\224", "\277"},
+//        {},
+//        "_C-\236$*)C0C>",
+//        {4041515984, 2147483647, 1929379871, 0, 3715937258, 4294967295}},
+//       "\010\002", 342248070, -806315555);
+// }
+//
 // end:google_only