diff --git a/ChangeLog b/ChangeLog index 1bd237fb4..61f737680 100644 --- a/ChangeLog +++ b/ChangeLog @@ -32,6 +32,7 @@ incoming connection * added more detailed instrumentation of the disk I/O thread + * fixed bug in bdecoder when decoding invalid messages * added build warning when building with UNICODE but the standard library doesn't provide std::wstring * fixed add_node python binding diff --git a/src/lazy_bdecode.cpp b/src/lazy_bdecode.cpp index e3b10ced1..023114cfb 100644 --- a/src/lazy_bdecode.cpp +++ b/src/lazy_bdecode.cpp @@ -106,6 +106,7 @@ namespace libtorrent stack.pop_back(); continue; } + if (!is_digit(t)) return fail_bdecode(ret); boost::int64_t len = t - '0'; start = parse_int(start, end, ':', len); if (start == 0 || start + len + 3 > end || *start != ':') return fail_bdecode(ret); diff --git a/test/test_bencoding.cpp b/test/test_bencoding.cpp index 027d30940..6d9956404 100644 --- a/test/test_bencoding.cpp +++ b/test/test_bencoding.cpp @@ -181,6 +181,29 @@ int test_main() TORRENT_ASSERT(e.dict_find("c")->string_length() == 3); TORRENT_ASSERT(e.dict_find_string_value("X") == "0123456789"); } + + // test invalid encoding + { + char buf[] = + { 0x64 , 0x31 , 0x3a , 0x61 , 0x64 , 0x32 , 0x3a , 0x69 + , 0x64 , 0x32 , 0x30 , 0x3a , 0x2a , 0x21 , 0x19 , 0x89 + , 0x9f , 0xcd , 0x5f , 0xc9 , 0xbc , 0x80 , 0xc1 , 0x76 + , 0xfe , 0xe0 , 0xc6 , 0x84 , 0x2d , 0xf6 , 0xfc , 0xb8 + , 0x39 , 0x3a , 0x69 , 0x6e , 0x66 , 0x6f , 0x5f , 0x68 + , 0x61 , 0xae , 0x68 , 0x32 , 0x30 , 0x3a , 0x14 , 0x78 + , 0xd5 , 0xb0 , 0xdc , 0xf6 , 0x82 , 0x42 , 0x32 , 0xa0 + , 0xd6 , 0x88 , 0xeb , 0x48 , 0x57 , 0x01 , 0x89 , 0x40 + , 0x4e , 0xbc , 0x65 , 0x31 , 0x3a , 0x71 , 0x39 , 0x3a + , 0x67 , 0x65 , 0x74 , 0x5f , 0x70 , 0x65 , 0x65 , 0x72 + , 0x78 , 0xff , 0x3a , 0x74 , 0x38 , 0x3a , 0xaa , 0xd4 + , 0xa1 , 0x88 , 0x7a , 0x8d , 0xc3 , 0xd6 , 0x31 , 0x3a + , 0x79 , 0x31 , 0xae , 0x71 , 0x65 , 0}; + + printf("%s\n", buf); + lazy_entry e; + int ret = lazy_bdecode(buf, buf + sizeof(buf), e); + TEST_CHECK(ret == -1); + } return 0; }