godotengine
/
godot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix marshalls size checks. 

Yesterday, when playing around with my network code, I realized there is
a security issue in decode_variant, at least when decoding PoolArrays.
Basically, the size of the PoolArray is encoded in a uint32_t, when
decoding it, that value is cast to int when comparing if the packet is
actually that size causing numbers with MSB=1 to be interpreted as
negative thus always passing the check. That same value though, is used
as uint32_t again to resize the output vector.  For this reason, sending
a malformed packet with declared type PoolByteArray and size of 2^31(+x)
causes the engine to try to allocate 2+GB of pool memory, causing the
engine to crash.
This commit is contained in:
Fabio Alessandrelli 2018-07-08 15:11:41 +02:00 committed by Hein-Pieter van Braam
parent 1a325e3580
commit 5262d1bbcc
1 changed files with 79 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
core/io/marshalls.cpp
View File

@ -32,8 +32,13 @@
#include "os/keyboard.h" #include "os/keyboard.h"
#include "print_string.h" #include "print_string.h"
#include "reference.h" #include "reference.h"
#include <limits.h>
#include <stdio.h> #include <stdio.h>
#define _S(a) ((int32_t)a)
#define ERR_FAIL_ADD_OF(a, b, err) ERR_FAIL_COND_V(_S(b) < 0 || _S(a) < 0 || _S(a) > INT_MAX - _S(b), err)
#define ERR_FAIL_MUL_OF(a, b, err) ERR_FAIL_COND_V(_S(a) < 0 || _S(b) <= 0 || _S(a) > INT_MAX / _S(b), err)
void EncodedObjectAsID::_bind_methods() { void EncodedObjectAsID::_bind_methods() {
ClassDB::bind_method(D_METHOD("set_object_id", "id"), &EncodedObjectAsID::set_object_id); ClassDB::bind_method(D_METHOD("set_object_id", "id"), &EncodedObjectAsID::set_object_id);
ClassDB::bind_method(D_METHOD("get_object_id"), &EncodedObjectAsID::get_object_id); ClassDB::bind_method(D_METHOD("get_object_id"), &EncodedObjectAsID::get_object_id);
@ -60,23 +65,31 @@ EncodedObjectAsID::EncodedObjectAsID() {
static Error _decode_string(const uint8_t *&buf, int &len, int *r_len, String &r_string) { static Error _decode_string(const uint8_t *&buf, int &len, int *r_len, String &r_string) {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t strlen = decode_uint32(buf); int32_t strlen = decode_uint32(buf);
buf += 4; int32_t pad = 0;
len -= 4;
ERR_FAIL_COND_V((int)strlen > len, ERR_FILE_EOF);
String str; // Handle padding
str.parse_utf8((const char *)buf, strlen);
r_string = str;
//handle padding
if (strlen % 4) { if (strlen % 4) {
strlen += 4 - strlen % 4; pad = 4 - strlen % 4;
} }
buf += 4;
len -= 4;
// Ensure buffer is big enough
ERR_FAIL_ADD_OF(strlen, pad, ERR_FILE_EOF);
ERR_FAIL_COND_V(strlen < 0 || strlen + pad > len, ERR_FILE_EOF);
String str;
ERR_FAIL_COND_V(str.parse_utf8((const char *)buf, strlen), ERR_INVALID_DATA);
r_string = str;
// Add padding
strlen += pad;
// Update buffer pos, left data count, and return size
buf += strlen; buf += strlen;
len -= strlen; len -= strlen;
if (r_len) { if (r_len) {
(*r_len) += 4 + strlen; (*r_len) += 4 + strlen;
} }
@ -119,14 +132,15 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::INT: { case Variant::INT: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
if (type & ENCODE_FLAG_64) { if (type & ENCODE_FLAG_64) {
ERR_FAIL_COND_V(len < 8, ERR_INVALID_DATA);
int64_t val = decode_uint64(buf); int64_t val = decode_uint64(buf);
r_variant = val; r_variant = val;
if (r_len) if (r_len)
(*r_len) += 8; (*r_len) += 8;
} else { } else {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
int32_t val = decode_uint32(buf); int32_t val = decode_uint32(buf);
r_variant = val; r_variant = val;
if (r_len) if (r_len)
@ -136,14 +150,14 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::REAL: { case Variant::REAL: {
ERR_FAIL_COND_V(len < (int)4, ERR_INVALID_DATA);
if (type & ENCODE_FLAG_64) { if (type & ENCODE_FLAG_64) {
ERR_FAIL_COND_V(len < 8, ERR_INVALID_DATA);
double val = decode_double(buf); double val = decode_double(buf);
r_variant = val; r_variant = val;
if (r_len) if (r_len)
(*r_len) += 8; (*r_len) += 8;
} else { } else {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
float val = decode_float(buf); float val = decode_float(buf);
r_variant = val; r_variant = val;
if (r_len) if (r_len)
@ -164,7 +178,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
// math types // math types
case Variant::VECTOR2: { case Variant::VECTOR2: {
ERR_FAIL_COND_V(len < (int)4 * 2, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 2, ERR_INVALID_DATA);
Vector2 val; Vector2 val;
val.x = decode_float(&buf[0]); val.x = decode_float(&buf[0]);
val.y = decode_float(&buf[4]); val.y = decode_float(&buf[4]);
@ -176,7 +190,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; // 5 } break; // 5
case Variant::RECT2: { case Variant::RECT2: {
ERR_FAIL_COND_V(len < (int)4 * 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 4, ERR_INVALID_DATA);
Rect2 val; Rect2 val;
val.position.x = decode_float(&buf[0]); val.position.x = decode_float(&buf[0]);
val.position.y = decode_float(&buf[4]); val.position.y = decode_float(&buf[4]);
@ -190,7 +204,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::VECTOR3: { case Variant::VECTOR3: {
ERR_FAIL_COND_V(len < (int)4 * 3, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 3, ERR_INVALID_DATA);
Vector3 val; Vector3 val;
val.x = decode_float(&buf[0]); val.x = decode_float(&buf[0]);
val.y = decode_float(&buf[4]); val.y = decode_float(&buf[4]);
@ -203,7 +217,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::TRANSFORM2D: { case Variant::TRANSFORM2D: {
ERR_FAIL_COND_V(len < (int)4 * 6, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 6, ERR_INVALID_DATA);
Transform2D val; Transform2D val;
for (int i = 0; i < 3; i++) { for (int i = 0; i < 3; i++) {
for (int j = 0; j < 2; j++) { for (int j = 0; j < 2; j++) {
@ -220,7 +234,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::PLANE: { case Variant::PLANE: {
ERR_FAIL_COND_V(len < (int)4 * 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 4, ERR_INVALID_DATA);
Plane val; Plane val;
val.normal.x = decode_float(&buf[0]); val.normal.x = decode_float(&buf[0]);
val.normal.y = decode_float(&buf[4]); val.normal.y = decode_float(&buf[4]);
@ -234,7 +248,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::QUAT: { case Variant::QUAT: {
ERR_FAIL_COND_V(len < (int)4 * 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 4, ERR_INVALID_DATA);
Quat val; Quat val;
val.x = decode_float(&buf[0]); val.x = decode_float(&buf[0]);
val.y = decode_float(&buf[4]); val.y = decode_float(&buf[4]);
@ -248,7 +262,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::AABB: { case Variant::AABB: {
ERR_FAIL_COND_V(len < (int)4 * 6, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 6, ERR_INVALID_DATA);
AABB val; AABB val;
val.position.x = decode_float(&buf[0]); val.position.x = decode_float(&buf[0]);
val.position.y = decode_float(&buf[4]); val.position.y = decode_float(&buf[4]);
@ -264,7 +278,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::BASIS: { case Variant::BASIS: {
ERR_FAIL_COND_V(len < (int)4 * 9, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 9, ERR_INVALID_DATA);
Basis val; Basis val;
for (int i = 0; i < 3; i++) { for (int i = 0; i < 3; i++) {
for (int j = 0; j < 3; j++) { for (int j = 0; j < 3; j++) {
@ -281,7 +295,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} break; } break;
case Variant::TRANSFORM: { case Variant::TRANSFORM: {
ERR_FAIL_COND_V(len < (int)4 * 12, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 12, ERR_INVALID_DATA);
Transform val; Transform val;
for (int i = 0; i < 3; i++) { for (int i = 0; i < 3; i++) {
for (int j = 0; j < 3; j++) { for (int j = 0; j < 3; j++) {
@ -303,7 +317,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
// misc types // misc types
case Variant::COLOR: { case Variant::COLOR: {
ERR_FAIL_COND_V(len < (int)4 * 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4 * 4, ERR_INVALID_DATA);
Color val; Color val;
val.r = decode_float(&buf[0]); val.r = decode_float(&buf[0]);
val.g = decode_float(&buf[4]); val.g = decode_float(&buf[4]);
@ -318,7 +332,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::NODE_PATH: { case Variant::NODE_PATH: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t strlen = decode_uint32(buf); int32_t strlen = decode_uint32(buf);
if (strlen & 0x80000000) { if (strlen & 0x80000000) {
//new format //new format
@ -343,31 +357,15 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
for (uint32_t i = 0; i < total; i++) { for (uint32_t i = 0; i < total; i++) {
ERR_FAIL_COND_V((int)len < 4, ERR_INVALID_DATA);
strlen = decode_uint32(buf);
int pad = 0;
if (strlen % 4)
pad += 4 - strlen % 4;
buf += 4;
len -= 4;
ERR_FAIL_COND_V((int)strlen + pad > len, ERR_INVALID_DATA);
String str; String str;
str.parse_utf8((const char *)buf, strlen); Error err = _decode_string(buf, len, r_len, str);
if (err)
return err;
if (i < namecount) if (i < namecount)
names.push_back(str); names.push_back(str);
else else
subnames.push_back(str); subnames.push_back(str);
buf += strlen + pad;
len -= strlen + pad;
if (r_len)
(*r_len) += 4 + strlen + pad;
} }
r_variant = NodePath(names, subnames, flags & 1); r_variant = NodePath(names, subnames, flags & 1);
@ -375,17 +373,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
} else { } else {
//old format, just a string //old format, just a string
buf += 4; ERR_FAIL_V(ERR_INVALID_DATA);
len -= 4;
ERR_FAIL_COND_V((int)strlen > len, ERR_INVALID_DATA);
String str;
str.parse_utf8((const char *)buf, strlen);
r_variant = NodePath(str);
if (r_len)
(*r_len) += 4 + strlen;
} }
} break; } break;
@ -402,6 +390,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
if (type & ENCODE_FLAG_OBJECT_AS_ID) { if (type & ENCODE_FLAG_OBJECT_AS_ID) {
//this _is_ allowed //this _is_ allowed
ERR_FAIL_COND_V(len < 8, ERR_INVALID_DATA);
ObjectID val = decode_uint64(buf); ObjectID val = decode_uint64(buf);
if (r_len) if (r_len)
(*r_len) += 8; (*r_len) += 8;
@ -475,7 +464,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::DICTIONARY: { case Variant::DICTIONARY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
// bool shared = count&0x80000000; // bool shared = count&0x80000000;
count &= 0x7FFFFFFF; count &= 0x7FFFFFFF;
@ -488,7 +477,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
Dictionary d; Dictionary d;
for (uint32_t i = 0; i < count; i++) { for (int i = 0; i < count; i++) {
Variant key, value; Variant key, value;
@ -520,7 +509,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::ARRAY: { case Variant::ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
// bool shared = count&0x80000000; // bool shared = count&0x80000000;
count &= 0x7FFFFFFF; count &= 0x7FFFFFFF;
@ -533,7 +522,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
Array varr; Array varr;
for (uint32_t i = 0; i < count; i++) { for (int i = 0; i < count; i++) {
int used = 0; int used = 0;
Variant v; Variant v;
@ -555,17 +544,17 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::POOL_BYTE_ARRAY: { case Variant::POOL_BYTE_ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
buf += 4; buf += 4;
len -= 4; len -= 4;
ERR_FAIL_COND_V((int)count > len, ERR_INVALID_DATA); ERR_FAIL_COND_V(count < 0 || count > len, ERR_INVALID_DATA);
PoolVector<uint8_t> data; PoolVector<uint8_t> data;
if (count) { if (count) {
data.resize(count); data.resize(count);
PoolVector<uint8_t>::Write w = data.write(); PoolVector<uint8_t>::Write w = data.write();
for (uint32_t i = 0; i < count; i++) { for (int32_t i = 0; i < count; i++) {
w[i] = buf[i]; w[i] = buf[i];
} }
@ -585,10 +574,11 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::POOL_INT_ARRAY: { case Variant::POOL_INT_ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
buf += 4; buf += 4;
len -= 4; len -= 4;
ERR_FAIL_COND_V((int)count * 4 > len, ERR_INVALID_DATA); ERR_FAIL_MUL_OF(count, 4, ERR_INVALID_DATA);
ERR_FAIL_COND_V(count < 0 || count * 4 > len, ERR_INVALID_DATA);
PoolVector<int> data; PoolVector<int> data;
@ -596,7 +586,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
//const int*rbuf=(const int*)buf; //const int*rbuf=(const int*)buf;
data.resize(count); data.resize(count);
PoolVector<int>::Write w = data.write(); PoolVector<int>::Write w = data.write();
for (uint32_t i = 0; i < count; i++) { for (int32_t i = 0; i < count; i++) {
w[i] = decode_uint32(&buf[i * 4]); w[i] = decode_uint32(&buf[i * 4]);
} }
@ -612,10 +602,11 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::POOL_REAL_ARRAY: { case Variant::POOL_REAL_ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
buf += 4; buf += 4;
len -= 4; len -= 4;
ERR_FAIL_COND_V((int)count * 4 > len, ERR_INVALID_DATA); ERR_FAIL_MUL_OF(count, 4, ERR_INVALID_DATA);
ERR_FAIL_COND_V(count < 0 || count * 4 > len, ERR_INVALID_DATA);
PoolVector<float> data; PoolVector<float> data;
@ -623,7 +614,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
//const float*rbuf=(const float*)buf; //const float*rbuf=(const float*)buf;
data.resize(count); data.resize(count);
PoolVector<float>::Write w = data.write(); PoolVector<float>::Write w = data.write();
for (uint32_t i = 0; i < count; i++) { for (int32_t i = 0; i < count; i++) {
w[i] = decode_float(&buf[i * 4]); w[i] = decode_float(&buf[i * 4]);
} }
@ -640,7 +631,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::POOL_STRING_ARRAY: { case Variant::POOL_STRING_ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
PoolVector<String> strings; PoolVector<String> strings;
buf += 4; buf += 4;
@ -650,35 +641,14 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
(*r_len) += 4; (*r_len) += 4;
//printf("string count: %i\n",count); //printf("string count: %i\n",count);
for (int i = 0; i < (int)count; i++) { for (int32_t i = 0; i < count; i++) {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t strlen = decode_uint32(buf);
buf += 4;
len -= 4;
ERR_FAIL_COND_V((int)strlen > len, ERR_INVALID_DATA);
//printf("loaded string: %s\n",(const char*)buf);
String str; String str;
str.parse_utf8((const char *)buf, strlen); Error err = _decode_string(buf, len, r_len, str);
if (err)
return err;
strings.push_back(str); strings.push_back(str);
buf += strlen;
len -= strlen;
if (r_len)
(*r_len) += 4 + strlen;
if (strlen % 4) {
int pad = 4 - (strlen % 4);
buf += pad;
len -= pad;
if (r_len) {
(*r_len) += pad;
}
}
} }
r_variant = strings; r_variant = strings;
@ -687,11 +657,12 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::POOL_VECTOR2_ARRAY: { case Variant::POOL_VECTOR2_ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
buf += 4; buf += 4;
len -= 4; len -= 4;
ERR_FAIL_COND_V((int)count * 4 * 2 > len, ERR_INVALID_DATA); ERR_FAIL_MUL_OF(count, 4 * 2, ERR_INVALID_DATA);
ERR_FAIL_COND_V(count < 0 || count * 4 * 2 > len, ERR_INVALID_DATA);
PoolVector<Vector2> varray; PoolVector<Vector2> varray;
if (r_len) { if (r_len) {
@ -702,7 +673,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
varray.resize(count); varray.resize(count);
PoolVector<Vector2>::Write w = varray.write(); PoolVector<Vector2>::Write w = varray.write();
for (int i = 0; i < (int)count; i++) { for (int32_t i = 0; i < count; i++) {
w[i].x = decode_float(buf + i * 4 * 2 + 4 * 0); w[i].x = decode_float(buf + i * 4 * 2 + 4 * 0);
w[i].y = decode_float(buf + i * 4 * 2 + 4 * 1); w[i].y = decode_float(buf + i * 4 * 2 + 4 * 1);
@ -722,11 +693,13 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::POOL_VECTOR3_ARRAY: { case Variant::POOL_VECTOR3_ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
buf += 4; buf += 4;
len -= 4; len -= 4;
ERR_FAIL_COND_V((int)count * 4 * 3 > len, ERR_INVALID_DATA); ERR_FAIL_MUL_OF(count, 4 * 3, ERR_INVALID_DATA);
ERR_FAIL_COND_V(count < 0 || count * 4 * 3 > len, ERR_INVALID_DATA);
PoolVector<Vector3> varray; PoolVector<Vector3> varray;
if (r_len) { if (r_len) {
@ -737,7 +710,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
varray.resize(count); varray.resize(count);
PoolVector<Vector3>::Write w = varray.write(); PoolVector<Vector3>::Write w = varray.write();
for (int i = 0; i < (int)count; i++) { for (int32_t i = 0; i < count; i++) {
w[i].x = decode_float(buf + i * 4 * 3 + 4 * 0); w[i].x = decode_float(buf + i * 4 * 3 + 4 * 0);
w[i].y = decode_float(buf + i * 4 * 3 + 4 * 1); w[i].y = decode_float(buf + i * 4 * 3 + 4 * 1);
@ -758,11 +731,13 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
case Variant::POOL_COLOR_ARRAY: { case Variant::POOL_COLOR_ARRAY: {
ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA); ERR_FAIL_COND_V(len < 4, ERR_INVALID_DATA);
uint32_t count = decode_uint32(buf); int32_t count = decode_uint32(buf);
buf += 4; buf += 4;
len -= 4; len -= 4;
ERR_FAIL_COND_V((int)count * 4 * 4 > len, ERR_INVALID_DATA); ERR_FAIL_MUL_OF(count, 4 * 4, ERR_INVALID_DATA);
ERR_FAIL_COND_V(count < 0 || count * 4 * 4 > len, ERR_INVALID_DATA);
PoolVector<Color> carray; PoolVector<Color> carray;
if (r_len) { if (r_len) {
@ -773,7 +748,7 @@ Error decode_variant(Variant &r_variant, const uint8_t *p_buffer, int p_len, int
carray.resize(count); carray.resize(count);
PoolVector<Color>::Write w = carray.write(); PoolVector<Color>::Write w = carray.write();
for (int i = 0; i < (int)count; i++) { for (int32_t i = 0; i < count; i++) {
w[i].r = decode_float(buf + i * 4 * 4 + 4 * 0); w[i].r = decode_float(buf + i * 4 * 4 + 4 * 0);
w[i].g = decode_float(buf + i * 4 * 4 + 4 * 1); w[i].g = decode_float(buf + i * 4 * 4 + 4 * 1);
@ -1321,7 +1296,7 @@ Error encode_variant(const Variant &p_variant, uint8_t *r_buffer, int &r_len, bo
while (r_len % 4) { while (r_len % 4) {
r_len++; //pad r_len++; //pad
if (buf) if (buf)
buf++; *(buf++) = 0;
} }
} }