Browse Source

Fix first fuzzing bug! Don't allow NullName as a full NameString

The spec isn't clear about this, but in the library we assume that an
`AmlName` is not empty. However, if a NullName appears as the only
element of a NamePath, we can accidently create an empty AmlName when we
parse a NameString. This has never come up in real tables, but was detected
during fuzzing as breaking a whole bunch of stuff in the namespace searching
(due to the assumptions about AmlName being broken).
Isaac Woods 4 years ago
parent
commit
56472490c9
1 changed files with 9 additions and 3 deletions
  1. 9 3
      aml/src/name_object.rs

+ 9 - 3
aml/src/name_object.rs

@@ -99,7 +99,15 @@ where
         match first_char {
             ROOT_CHAR => root_name_string.parse(input, context),
             PREFIX_CHAR => prefix_path.parse(input, context),
-            _ => name_path().map(|path| Ok(AmlName(path))).parse(input, context),
+            _ => name_path()
+                .map(|path| {
+                    if path.len() == 0 {
+                        return Err(AmlError::EmptyNamesAreInvalid);
+                    }
+
+                    Ok(AmlName(path))
+                })
+                .parse(input, context),
         }
     })
 }
@@ -125,8 +133,6 @@ where
 {
     /*
      * NullName := 0x00
-     *
-     * This doesn't actually allocate because the `Vec`'s capacity is zero.
      */
     opcode(NULL_NAME).map(|_| Ok(Vec::with_capacity(0)))
 }