fix(core): Fix array length consistency check for UA_DataValue (#5911)

open62541 · Aug 2, 2023 · 1852357 · 1852357
1 parent 036b8c9
commit 1852357
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/ua_types_encoding_binary.c b/src/ua_types_encoding_binary.c
@@ -482,9 +482,13 @@ Array_decodeBinary(void *UA_RESTRICT *UA_RESTRICT dst, size_t *out_length,
 
     /* Filter out arrays that can obviously not be decoded, because the message
      * is too small for the array length. This prevents the allocation of very
-     * long arrays for bogus messages.*/
+     * long arrays for bogus messages.
+     *
+     * The worst known case (so far) is UA_DataValue. It has
+     * sizeof(UA_DataValue) == 80 and an empty DataValue is encoded with just
+     * one byte. We use 128 as the smallest power of 2 larger than 80. */
     size_t length = (size_t)signed_length;
-    if(ctx->pos + ((type->memSize * length) / 32) > ctx->end)
+    if(ctx->pos + ((type->memSize * length) / 128) > ctx->end)
         return UA_STATUSCODE_BADDECODINGERROR;
 
     /* Allocate memory */