Coverage Report

Created: 2024-06-18 06:33

/src/nanopb/pb_decode.c
Line
Count
Source (jump to first uncovered line)
1
/* pb_decode.c -- decode a protobuf using minimal resources
2
 *
3
 * 2011 Petteri Aimonen <jpa@kapsi.fi>
4
 */
5
6
/* Use the GCC warn_unused_result attribute to check that all return values
7
 * are propagated correctly. On other compilers, gcc before 3.4.0 and iar
8
 * before 9.40.1 just ignore the annotation.
9
 */
10
#if (defined(__GNUC__) && ((__GNUC__ > 3) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))) || \
11
    (defined(__IAR_SYSTEMS_ICC__) && (__VER__ >= 9040001))
12
    #define checkreturn __attribute__((warn_unused_result))
13
#else
14
    #define checkreturn
15
#endif
16
17
#include "pb.h"
18
#include "pb_decode.h"
19
#include "pb_common.h"
20
21
/**************************************
22
 * Declarations internal to this file *
23
 **************************************/
24
25
static bool checkreturn buf_read(pb_istream_t *stream, pb_byte_t *buf, size_t count);
26
static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof);
27
static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, pb_byte_t *buf, size_t *size);
28
static bool checkreturn decode_basic_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field);
29
static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field);
30
static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field);
31
static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field);
32
static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field);
33
static bool checkreturn default_extension_decoder(pb_istream_t *stream, pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type);
34
static bool checkreturn decode_extension(pb_istream_t *stream, uint32_t tag, pb_wire_type_t wire_type, pb_extension_t *extension);
35
static bool pb_field_set_to_default(pb_field_iter_t *field);
36
static bool pb_message_set_to_defaults(pb_field_iter_t *iter);
37
static bool checkreturn pb_dec_bool(pb_istream_t *stream, const pb_field_iter_t *field);
38
static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_iter_t *field);
39
static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_iter_t *field);
40
static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_iter_t *field);
41
static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_iter_t *field);
42
static bool checkreturn pb_dec_fixed_length_bytes(pb_istream_t *stream, const pb_field_iter_t *field);
43
static bool checkreturn pb_skip_varint(pb_istream_t *stream);
44
static bool checkreturn pb_skip_string(pb_istream_t *stream);
45
46
#ifdef PB_ENABLE_MALLOC
47
static bool checkreturn allocate_field(pb_istream_t *stream, void *pData, size_t data_size, size_t array_size);
48
static void initialize_pointer_field(void *pItem, pb_field_iter_t *field);
49
static bool checkreturn pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *field);
50
static void pb_release_single_field(pb_field_iter_t *field);
51
#endif
52
53
#ifdef PB_WITHOUT_64BIT
54
#define pb_int64_t int32_t
55
#define pb_uint64_t uint32_t
56
#else
57
1.24M
#define pb_int64_t int64_t
58
890k
#define pb_uint64_t uint64_t
59
#endif
60
61
typedef struct {
62
    uint32_t bitfield[(PB_MAX_REQUIRED_FIELDS + 31) / 32];
63
} pb_fields_seen_t;
64
65
/*******************************
66
 * pb_istream_t implementation *
67
 *******************************/
68
69
static bool checkreturn buf_read(pb_istream_t *stream, pb_byte_t *buf, size_t count)
70
3.32M
{
71
3.32M
    const pb_byte_t *source = (const pb_byte_t*)stream->state;
72
3.32M
    stream->state = (pb_byte_t*)stream->state + count;
73
    
74
3.32M
    if (buf != NULL)
75
3.26M
    {
76
3.26M
        memcpy(buf, source, count * sizeof(pb_byte_t));
77
3.26M
    }
78
    
79
3.32M
    return true;
80
3.32M
}
81
82
bool checkreturn pb_read(pb_istream_t *stream, pb_byte_t *buf, size_t count)
83
813k
{
84
813k
    if (count == 0)
85
51.5k
        return true;
86
87
762k
#ifndef PB_BUFFER_ONLY
88
762k
  if (buf == NULL && stream->callback != buf_read)
89
19.0k
  {
90
    /* Skip input bytes */
91
19.0k
    pb_byte_t tmp[16];
92
225k
    while (count > 16)
93
206k
    {
94
206k
      if (!pb_read(stream, tmp, 16))
95
684
        return false;
96
      
97
206k
      count -= 16;
98
206k
    }
99
    
100
18.3k
    return pb_read(stream, tmp, count);
101
19.0k
  }
102
743k
#endif
103
104
743k
    if (stream->bytes_left < count)
105
820
        PB_RETURN_ERROR(stream, "end-of-stream");
106
    
107
742k
#ifndef PB_BUFFER_ONLY
108
742k
    if (!stream->callback(stream, buf, count))
109
2.51k
        PB_RETURN_ERROR(stream, "io error");
110
#else
111
    if (!buf_read(stream, buf, count))
112
        return false;
113
#endif
114
    
115
739k
    if (stream->bytes_left < count)
116
0
        stream->bytes_left = 0;
117
739k
    else
118
739k
        stream->bytes_left -= count;
119
120
739k
    return true;
121
742k
}
122
123
/* Read a single byte from input stream. buf may not be NULL.
124
 * This is an optimization for the varint decoding. */
125
static bool checkreturn pb_readbyte(pb_istream_t *stream, pb_byte_t *buf)
126
4.06M
{
127
4.06M
    if (stream->bytes_left == 0)
128
1.05k
        PB_RETURN_ERROR(stream, "end-of-stream");
129
130
4.06M
#ifndef PB_BUFFER_ONLY
131
4.06M
    if (!stream->callback(stream, buf, 1))
132
3.64k
        PB_RETURN_ERROR(stream, "io error");
133
#else
134
    *buf = *(const pb_byte_t*)stream->state;
135
    stream->state = (pb_byte_t*)stream->state + 1;
136
#endif
137
138
4.05M
    stream->bytes_left--;
139
    
140
4.05M
    return true;    
141
4.06M
}
142
143
pb_istream_t pb_istream_from_buffer(const pb_byte_t *buf, size_t msglen)
144
87.9k
{
145
87.9k
    pb_istream_t stream;
146
    /* Cast away the const from buf without a compiler error.  We are
147
     * careful to use it only in a const manner in the callbacks.
148
     */
149
87.9k
    union {
150
87.9k
        void *state;
151
87.9k
        const void *c_state;
152
87.9k
    } state;
153
#ifdef PB_BUFFER_ONLY
154
    stream.callback = NULL;
155
#else
156
87.9k
    stream.callback = &buf_read;
157
87.9k
#endif
158
87.9k
    state.c_state = buf;
159
87.9k
    stream.state = state.state;
160
87.9k
    stream.bytes_left = msglen;
161
87.9k
#ifndef PB_NO_ERRMSG
162
87.9k
    stream.errmsg = NULL;
163
87.9k
#endif
164
87.9k
    return stream;
165
87.9k
}
166
167
/********************
168
 * Helper functions *
169
 ********************/
170
171
static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof)
172
1.94M
{
173
1.94M
    pb_byte_t byte;
174
1.94M
    uint32_t result;
175
    
176
1.94M
    if (!pb_readbyte(stream, &byte))
177
3.23k
    {
178
3.23k
        if (stream->bytes_left == 0)
179
1.95k
        {
180
1.95k
            if (eof)
181
1.11k
            {
182
1.11k
                *eof = true;
183
1.11k
            }
184
1.95k
        }
185
186
3.23k
        return false;
187
3.23k
    }
188
    
189
1.94M
    if ((byte & 0x80) == 0)
190
1.51M
    {
191
        /* Quick case, 1 byte value */
192
1.51M
        result = byte;
193
1.51M
    }
194
425k
    else
195
425k
    {
196
        /* Multibyte case */
197
425k
        uint_fast8_t bitpos = 7;
198
425k
        result = byte & 0x7F;
199
        
200
425k
        do
201
475k
        {
202
475k
            if (!pb_readbyte(stream, &byte))
203
466
                return false;
204
            
205
474k
            if (bitpos >= 32)
206
3.73k
            {
207
                /* Note: The varint could have trailing 0x80 bytes, or 0xFF for negative. */
208
3.73k
                pb_byte_t sign_extension = (bitpos < 63) ? 0xFF : 0x01;
209
3.73k
                bool valid_extension = ((byte & 0x7F) == 0x00 ||
210
3.73k
                         ((result >> 31) != 0 && byte == sign_extension));
211
212
3.73k
                if (bitpos >= 64 || !valid_extension)
213
261
                {
214
261
                    PB_RETURN_ERROR(stream, "varint overflow");
215
261
                }
216
3.73k
            }
217
470k
            else if (bitpos == 28)
218
2.74k
            {
219
2.74k
                if ((byte & 0x70) != 0 && (byte & 0x78) != 0x78)
220
125
                {
221
125
                    PB_RETURN_ERROR(stream, "varint overflow");
222
125
                }
223
2.62k
                result |= (uint32_t)(byte & 0x0F) << bitpos;
224
2.62k
            }
225
468k
            else
226
468k
            {
227
468k
                result |= (uint32_t)(byte & 0x7F) << bitpos;
228
468k
            }
229
474k
            bitpos = (uint_fast8_t)(bitpos + 7);
230
474k
        } while (byte & 0x80);
231
425k
   }
232
   
233
1.93M
   *dest = result;
234
1.93M
   return true;
235
1.94M
}
236
237
bool checkreturn pb_decode_varint32(pb_istream_t *stream, uint32_t *dest)
238
354k
{
239
354k
    return pb_decode_varint32_eof(stream, dest, NULL);
240
354k
}
241
242
#ifndef PB_WITHOUT_64BIT
243
bool checkreturn pb_decode_varint(pb_istream_t *stream, uint64_t *dest)
244
828k
{
245
828k
    pb_byte_t byte;
246
828k
    uint_fast8_t bitpos = 0;
247
828k
    uint64_t result = 0;
248
    
249
828k
    do
250
1.64M
    {
251
1.64M
        if (!pb_readbyte(stream, &byte))
252
995
            return false;
253
254
1.64M
        if (bitpos >= 63 && (byte & 0xFE) != 0)
255
114
            PB_RETURN_ERROR(stream, "varint overflow");
256
257
1.64M
        result |= (uint64_t)(byte & 0x7F) << bitpos;
258
1.64M
        bitpos = (uint_fast8_t)(bitpos + 7);
259
1.64M
    } while (byte & 0x80);
260
    
261
827k
    *dest = result;
262
827k
    return true;
263
828k
}
264
#endif
265
266
bool checkreturn pb_skip_varint(pb_istream_t *stream)
267
31.8k
{
268
31.8k
    pb_byte_t byte;
269
31.8k
    do
270
56.7k
    {
271
56.7k
        if (!pb_read(stream, &byte, 1))
272
284
            return false;
273
56.7k
    } while (byte & 0x80);
274
31.6k
    return true;
275
31.8k
}
276
277
bool checkreturn pb_skip_string(pb_istream_t *stream)
278
24.2k
{
279
24.2k
    uint32_t length;
280
24.2k
    if (!pb_decode_varint32(stream, &length))
281
341
        return false;
282
    
283
23.9k
    if ((size_t)length != length)
284
0
    {
285
0
        PB_RETURN_ERROR(stream, "size too large");
286
0
    }
287
288
23.9k
    return pb_read(stream, NULL, (size_t)length);
289
23.9k
}
290
291
bool checkreturn pb_decode_tag(pb_istream_t *stream, pb_wire_type_t *wire_type, uint32_t *tag, bool *eof)
292
1.58M
{
293
1.58M
    uint32_t temp;
294
1.58M
    *eof = false;
295
1.58M
    *wire_type = (pb_wire_type_t) 0;
296
1.58M
    *tag = 0;
297
    
298
1.58M
    if (!pb_decode_varint32_eof(stream, &temp, eof))
299
2.58k
    {
300
2.58k
        return false;
301
2.58k
    }
302
    
303
1.58M
    *tag = temp >> 3;
304
1.58M
    *wire_type = (pb_wire_type_t)(temp & 7);
305
1.58M
    return true;
306
1.58M
}
307
308
bool checkreturn pb_skip_field(pb_istream_t *stream, pb_wire_type_t wire_type)
309
80.5k
{
310
80.5k
    switch (wire_type)
311
80.5k
    {
312
31.8k
        case PB_WT_VARINT: return pb_skip_varint(stream);
313
3.85k
        case PB_WT_64BIT: return pb_read(stream, NULL, 8);
314
24.2k
        case PB_WT_STRING: return pb_skip_string(stream);
315
20.1k
        case PB_WT_32BIT: return pb_read(stream, NULL, 4);
316
472
        default: PB_RETURN_ERROR(stream, "invalid wire_type");
317
80.5k
    }
318
80.5k
}
319
320
/* Read a raw value to buffer, for the purpose of passing it to callback as
321
 * a substream. Size is maximum size on call, and actual size on return.
322
 */
323
static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, pb_byte_t *buf, size_t *size)
324
4.48k
{
325
4.48k
    size_t max_size = *size;
326
4.48k
    switch (wire_type)
327
4.48k
    {
328
2.07k
        case PB_WT_VARINT:
329
2.07k
            *size = 0;
330
2.07k
            do
331
3.84k
            {
332
3.84k
                (*size)++;
333
3.84k
                if (*size > max_size)
334
8
                    PB_RETURN_ERROR(stream, "varint overflow");
335
336
3.83k
                if (!pb_read(stream, buf, 1))
337
33
                    return false;
338
3.83k
            } while (*buf++ & 0x80);
339
2.03k
            return true;
340
            
341
394
        case PB_WT_64BIT:
342
394
            *size = 8;
343
394
            return pb_read(stream, buf, 8);
344
        
345
1.95k
        case PB_WT_32BIT:
346
1.95k
            *size = 4;
347
1.95k
            return pb_read(stream, buf, 4);
348
        
349
0
        case PB_WT_STRING:
350
            /* Calling read_raw_value with a PB_WT_STRING is an error.
351
             * Explicitly handle this case and fallthrough to default to avoid
352
             * compiler warnings.
353
             */
354
355
55
        default: PB_RETURN_ERROR(stream, "invalid wire_type");
356
4.48k
    }
357
4.48k
}
358
359
/* Decode string length from stream and return a substream with limited length.
360
 * Remember to close the substream using pb_close_string_substream().
361
 */
362
bool checkreturn pb_make_string_substream(pb_istream_t *stream, pb_istream_t *substream)
363
173k
{
364
173k
    uint32_t size;
365
173k
    if (!pb_decode_varint32(stream, &size))
366
732
        return false;
367
    
368
172k
    *substream = *stream;
369
172k
    if (substream->bytes_left < size)
370
5.65k
        PB_RETURN_ERROR(stream, "parent stream too short");
371
    
372
167k
    substream->bytes_left = (size_t)size;
373
167k
    stream->bytes_left -= (size_t)size;
374
167k
    return true;
375
172k
}
376
377
bool checkreturn pb_close_string_substream(pb_istream_t *stream, pb_istream_t *substream)
378
166k
{
379
166k
    if (substream->bytes_left) {
380
41.9k
        if (!pb_read(substream, NULL, substream->bytes_left))
381
1.11k
            return false;
382
41.9k
    }
383
384
165k
    stream->state = substream->state;
385
386
165k
#ifndef PB_NO_ERRMSG
387
165k
    stream->errmsg = substream->errmsg;
388
165k
#endif
389
165k
    return true;
390
166k
}
391
392
/*************************
393
 * Decode a single field *
394
 *************************/
395
396
static bool checkreturn decode_basic_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)
397
1.38M
{
398
1.38M
    switch (PB_LTYPE(field->type))
399
1.38M
    {
400
23.1k
        case PB_LTYPE_BOOL:
401
23.1k
            if (wire_type != PB_WT_VARINT && wire_type != PB_WT_PACKED)
402
54
                PB_RETURN_ERROR(stream, "wrong wire type");
403
404
23.0k
            return pb_dec_bool(stream, field);
405
406
560k
        case PB_LTYPE_VARINT:
407
767k
        case PB_LTYPE_UVARINT:
408
829k
        case PB_LTYPE_SVARINT:
409
829k
            if (wire_type != PB_WT_VARINT && wire_type != PB_WT_PACKED)
410
379
                PB_RETURN_ERROR(stream, "wrong wire type");
411
412
828k
            return pb_dec_varint(stream, field);
413
414
187k
        case PB_LTYPE_FIXED32:
415
187k
            if (wire_type != PB_WT_32BIT && wire_type != PB_WT_PACKED)
416
123
                PB_RETURN_ERROR(stream, "wrong wire type");
417
418
187k
            return pb_decode_fixed32(stream, field->pData);
419
420
116k
        case PB_LTYPE_FIXED64:
421
116k
            if (wire_type != PB_WT_64BIT && wire_type != PB_WT_PACKED)
422
67
                PB_RETURN_ERROR(stream, "wrong wire type");
423
424
#ifdef PB_CONVERT_DOUBLE_FLOAT
425
            if (field->data_size == sizeof(float))
426
            {
427
                return pb_decode_double_as_float(stream, (float*)field->pData);
428
            }
429
#endif
430
431
#ifdef PB_WITHOUT_64BIT
432
            PB_RETURN_ERROR(stream, "invalid data_size");
433
#else
434
116k
            return pb_decode_fixed64(stream, field->pData);
435
0
#endif
436
437
48.3k
        case PB_LTYPE_BYTES:
438
48.3k
            if (wire_type != PB_WT_STRING)
439
253
                PB_RETURN_ERROR(stream, "wrong wire type");
440
441
48.1k
            return pb_dec_bytes(stream, field);
442
443
75.0k
        case PB_LTYPE_STRING:
444
75.0k
            if (wire_type != PB_WT_STRING)
445
234
                PB_RETURN_ERROR(stream, "wrong wire type");
446
447
74.8k
            return pb_dec_string(stream, field);
448
449
69.0k
        case PB_LTYPE_SUBMESSAGE:
450
95.9k
        case PB_LTYPE_SUBMSG_W_CB:
451
95.9k
            if (wire_type != PB_WT_STRING)
452
275
                PB_RETURN_ERROR(stream, "wrong wire type");
453
454
95.6k
            return pb_dec_submessage(stream, field);
455
456
11.0k
        case PB_LTYPE_FIXED_LENGTH_BYTES:
457
11.0k
            if (wire_type != PB_WT_STRING)
458
23
                PB_RETURN_ERROR(stream, "wrong wire type");
459
460
11.0k
            return pb_dec_fixed_length_bytes(stream, field);
461
462
0
        default:
463
0
            PB_RETURN_ERROR(stream, "invalid field type");
464
1.38M
    }
465
1.38M
}
466
467
static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)
468
968k
{
469
968k
    switch (PB_HTYPE(field->type))
470
968k
    {
471
652k
        case PB_HTYPE_REQUIRED:
472
652k
            return decode_basic_field(stream, wire_type, field);
473
            
474
256k
        case PB_HTYPE_OPTIONAL:
475
256k
            if (field->pSize != NULL)
476
256k
                *(bool*)field->pSize = true;
477
256k
            return decode_basic_field(stream, wire_type, field);
478
    
479
7.68k
        case PB_HTYPE_REPEATED:
480
7.68k
            if (wire_type == PB_WT_STRING
481
7.68k
                && PB_LTYPE(field->type) <= PB_LTYPE_LAST_PACKABLE)
482
3.31k
            {
483
                /* Packed array */
484
3.31k
                bool status = true;
485
3.31k
                pb_istream_t substream;
486
3.31k
                pb_size_t *size = (pb_size_t*)field->pSize;
487
3.31k
                field->pData = (char*)field->pField + field->data_size * (*size);
488
489
3.31k
                if (!pb_make_string_substream(stream, &substream))
490
441
                    return false;
491
492
12.0k
                while (substream.bytes_left > 0 && *size < field->array_size)
493
9.54k
                {
494
9.54k
                    if (!decode_basic_field(&substream, PB_WT_PACKED, field))
495
417
                    {
496
417
                        status = false;
497
417
                        break;
498
417
                    }
499
9.13k
                    (*size)++;
500
9.13k
                    field->pData = (char*)field->pData + field->data_size;
501
9.13k
                }
502
503
2.87k
                if (substream.bytes_left != 0)
504
354
                    PB_RETURN_ERROR(stream, "array overflow");
505
2.52k
                if (!pb_close_string_substream(stream, &substream))
506
0
                    return false;
507
508
2.52k
                return status;
509
2.52k
            }
510
4.36k
            else
511
4.36k
            {
512
                /* Repeated field */
513
4.36k
                pb_size_t *size = (pb_size_t*)field->pSize;
514
4.36k
                field->pData = (char*)field->pField + field->data_size * (*size);
515
516
4.36k
                if ((*size)++ >= field->array_size)
517
144
                    PB_RETURN_ERROR(stream, "array overflow");
518
519
4.22k
                return decode_basic_field(stream, wire_type, field);
520
4.36k
            }
521
522
52.0k
        case PB_HTYPE_ONEOF:
523
52.0k
            if (PB_LTYPE_IS_SUBMSG(field->type) &&
524
52.0k
                *(pb_size_t*)field->pSize != field->tag)
525
37.4k
            {
526
                /* We memset to zero so that any callbacks are set to NULL.
527
                 * This is because the callbacks might otherwise have values
528
                 * from some other union field.
529
                 * If callbacks are needed inside oneof field, use .proto
530
                 * option submsg_callback to have a separate callback function
531
                 * that can set the fields before submessage is decoded.
532
                 * pb_dec_submessage() will set any default values. */
533
37.4k
                memset(field->pData, 0, (size_t)field->data_size);
534
535
                /* Set default values for the submessage fields. */
536
37.4k
                if (field->submsg_desc->default_value != NULL ||
537
37.4k
                    field->submsg_desc->field_callback != NULL ||
538
37.4k
                    field->submsg_desc->submsg_info[0] != NULL)
539
22.8k
                {
540
22.8k
                    pb_field_iter_t submsg_iter;
541
22.8k
                    if (pb_field_iter_begin(&submsg_iter, field->submsg_desc, field->pData))
542
22.8k
                    {
543
22.8k
                        if (!pb_message_set_to_defaults(&submsg_iter))
544
0
                            PB_RETURN_ERROR(stream, "failed to set defaults");
545
22.8k
                    }
546
22.8k
                }
547
37.4k
            }
548
52.0k
            *(pb_size_t*)field->pSize = field->tag;
549
550
52.0k
            return decode_basic_field(stream, wire_type, field);
551
552
0
        default:
553
0
            PB_RETURN_ERROR(stream, "invalid field type");
554
968k
    }
555
968k
}
556
557
#ifdef PB_ENABLE_MALLOC
558
/* Allocate storage for the field and store the pointer at iter->pData.
559
 * array_size is the number of entries to reserve in an array.
560
 * Zero size is not allowed, use pb_free() for releasing.
561
 */
562
static bool checkreturn allocate_field(pb_istream_t *stream, void *pData, size_t data_size, size_t array_size)
563
401k
{    
564
401k
    void *ptr = *(void**)pData;
565
    
566
401k
    if (data_size == 0 || array_size == 0)
567
0
        PB_RETURN_ERROR(stream, "invalid size");
568
    
569
#ifdef __AVR__
570
    /* Workaround for AVR libc bug 53284: http://savannah.nongnu.org/bugs/?53284
571
     * Realloc to size of 1 byte can cause corruption of the malloc structures.
572
     */
573
    if (data_size == 1 && array_size == 1)
574
    {
575
        data_size = 2;
576
    }
577
#endif
578
579
    /* Check for multiplication overflows.
580
     * This code avoids the costly division if the sizes are small enough.
581
     * Multiplication is safe as long as only half of bits are set
582
     * in either multiplicand.
583
     */
584
401k
    {
585
401k
        const size_t check_limit = (size_t)1 << (sizeof(size_t) * 4);
586
401k
        if (data_size >= check_limit || array_size >= check_limit)
587
0
        {
588
0
            const size_t size_max = (size_t)-1;
589
0
            if (size_max / array_size < data_size)
590
0
            {
591
0
                PB_RETURN_ERROR(stream, "size too large");
592
0
            }
593
0
        }
594
401k
    }
595
    
596
    /* Allocate new or expand previous allocation */
597
    /* Note: on failure the old pointer will remain in the structure,
598
     * the message must be freed by caller also on error return. */
599
401k
    ptr = pb_realloc(ptr, array_size * data_size);
600
401k
    if (ptr == NULL)
601
267
        PB_RETURN_ERROR(stream, "realloc failed");
602
    
603
401k
    *(void**)pData = ptr;
604
401k
    return true;
605
401k
}
606
607
/* Clear a newly allocated item in case it contains a pointer, or is a submessage. */
608
static void initialize_pointer_field(void *pItem, pb_field_iter_t *field)
609
358k
{
610
358k
    if (PB_LTYPE(field->type) == PB_LTYPE_STRING ||
611
358k
        PB_LTYPE(field->type) == PB_LTYPE_BYTES)
612
1.94k
    {
613
1.94k
        *(void**)pItem = NULL;
614
1.94k
    }
615
356k
    else if (PB_LTYPE_IS_SUBMSG(field->type))
616
31.8k
    {
617
        /* We memset to zero so that any callbacks are set to NULL.
618
         * Default values will be set by pb_dec_submessage(). */
619
31.8k
        memset(pItem, 0, field->data_size);
620
31.8k
    }
621
358k
}
622
#endif
623
624
static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)
625
392k
{
626
#ifndef PB_ENABLE_MALLOC
627
    PB_UNUSED(wire_type);
628
    PB_UNUSED(field);
629
    PB_RETURN_ERROR(stream, "no malloc support");
630
#else
631
392k
    switch (PB_HTYPE(field->type))
632
392k
    {
633
354k
        case PB_HTYPE_REQUIRED:
634
357k
        case PB_HTYPE_OPTIONAL:
635
378k
        case PB_HTYPE_ONEOF:
636
378k
            if (PB_LTYPE_IS_SUBMSG(field->type) && *(void**)field->pField != NULL)
637
9.15k
            {
638
                /* Duplicate field, have to release the old allocation first. */
639
                /* FIXME: Does this work correctly for oneofs? */
640
9.15k
                pb_release_single_field(field);
641
9.15k
            }
642
        
643
378k
            if (PB_HTYPE(field->type) == PB_HTYPE_ONEOF)
644
20.8k
            {
645
20.8k
                *(pb_size_t*)field->pSize = field->tag;
646
20.8k
            }
647
648
378k
            if (PB_LTYPE(field->type) == PB_LTYPE_STRING ||
649
378k
                PB_LTYPE(field->type) == PB_LTYPE_BYTES)
650
53.2k
            {
651
                /* pb_dec_string and pb_dec_bytes handle allocation themselves */
652
53.2k
                field->pData = field->pField;
653
53.2k
                return decode_basic_field(stream, wire_type, field);
654
53.2k
            }
655
324k
            else
656
324k
            {
657
324k
                if (!allocate_field(stream, field->pField, field->data_size, 1))
658
1
                    return false;
659
                
660
324k
                field->pData = *(void**)field->pField;
661
324k
                initialize_pointer_field(field->pData, field);
662
324k
                return decode_basic_field(stream, wire_type, field);
663
324k
            }
664
    
665
14.3k
        case PB_HTYPE_REPEATED:
666
14.3k
            if (wire_type == PB_WT_STRING
667
14.3k
                && PB_LTYPE(field->type) <= PB_LTYPE_LAST_PACKABLE)
668
2.97k
            {
669
                /* Packed array, multiple items come in at once. */
670
2.97k
                bool status = true;
671
2.97k
                pb_size_t *size = (pb_size_t*)field->pSize;
672
2.97k
                size_t allocated_size = *size;
673
2.97k
                pb_istream_t substream;
674
                
675
2.97k
                if (!pb_make_string_substream(stream, &substream))
676
18
                    return false;
677
                
678
24.8k
                while (substream.bytes_left)
679
22.3k
                {
680
22.3k
                    if (*size == PB_SIZE_MAX)
681
0
                    {
682
0
#ifndef PB_NO_ERRMSG
683
0
                        stream->errmsg = "too many array entries";
684
0
#endif
685
0
                        status = false;
686
0
                        break;
687
0
                    }
688
689
22.3k
                    if ((size_t)*size + 1 > allocated_size)
690
10.4k
                    {
691
                        /* Allocate more storage. This tries to guess the
692
                         * number of remaining entries. Round the division
693
                         * upwards. */
694
10.4k
                        size_t remain = (substream.bytes_left - 1) / field->data_size + 1;
695
10.4k
                        if (remain < PB_SIZE_MAX - allocated_size)
696
6.71k
                            allocated_size += remain;
697
3.76k
                        else
698
3.76k
                            allocated_size += 1;
699
                        
700
10.4k
                        if (!allocate_field(&substream, field->pField, field->data_size, allocated_size))
701
99
                        {
702
99
                            status = false;
703
99
                            break;
704
99
                        }
705
10.4k
                    }
706
707
                    /* Decode the array entry */
708
22.2k
                    field->pData = *(char**)field->pField + field->data_size * (*size);
709
22.2k
                    if (field->pData == NULL)
710
0
                    {
711
                        /* Shouldn't happen, but satisfies static analyzers */
712
0
                        status = false;
713
0
                        break;
714
0
                    }
715
22.2k
                    initialize_pointer_field(field->pData, field);
716
22.2k
                    if (!decode_basic_field(&substream, PB_WT_PACKED, field))
717
352
                    {
718
352
                        status = false;
719
352
                        break;
720
352
                    }
721
                    
722
21.9k
                    (*size)++;
723
21.9k
                }
724
2.95k
                if (!pb_close_string_substream(stream, &substream))
725
201
                    return false;
726
                
727
2.75k
                return status;
728
2.95k
            }
729
11.3k
            else
730
11.3k
            {
731
                /* Normal repeated field, i.e. only one item at a time. */
732
11.3k
                pb_size_t *size = (pb_size_t*)field->pSize;
733
734
11.3k
                if (*size == PB_SIZE_MAX)
735
0
                    PB_RETURN_ERROR(stream, "too many array entries");
736
                
737
11.3k
                if (!allocate_field(stream, field->pField, field->data_size, (size_t)(*size + 1)))
738
1
                    return false;
739
            
740
11.3k
                field->pData = *(char**)field->pField + field->data_size * (*size);
741
11.3k
                (*size)++;
742
11.3k
                initialize_pointer_field(field->pData, field);
743
11.3k
                return decode_basic_field(stream, wire_type, field);
744
11.3k
            }
745
746
0
        default:
747
0
            PB_RETURN_ERROR(stream, "invalid field type");
748
392k
    }
749
392k
#endif
750
392k
}
751
752
static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)
753
72.1k
{
754
72.1k
    if (!field->descriptor->field_callback)
755
0
        return pb_skip_field(stream, wire_type);
756
757
72.1k
    if (wire_type == PB_WT_STRING)
758
67.6k
    {
759
67.6k
        pb_istream_t substream;
760
67.6k
        size_t prev_bytes_left;
761
        
762
67.6k
        if (!pb_make_string_substream(stream, &substream))
763
1.00k
            return false;
764
        
765
66.6k
        do
766
66.6k
        {
767
66.6k
            prev_bytes_left = substream.bytes_left;
768
66.6k
            if (!field->descriptor->field_callback(&substream, NULL, field))
769
0
            {
770
0
                PB_SET_ERROR(stream, substream.errmsg ? substream.errmsg : "callback failed");
771
0
                return false;
772
0
            }
773
66.6k
        } while (substream.bytes_left > 0 && substream.bytes_left < prev_bytes_left);
774
        
775
66.6k
        if (!pb_close_string_substream(stream, &substream))
776
0
            return false;
777
778
66.6k
        return true;
779
66.6k
    }
780
4.48k
    else
781
4.48k
    {
782
        /* Copy the single scalar value to stack.
783
         * This is required so that we can limit the stream length,
784
         * which in turn allows to use same callback for packed and
785
         * not-packed fields. */
786
4.48k
        pb_istream_t substream;
787
4.48k
        pb_byte_t buffer[10];
788
4.48k
        size_t size = sizeof(buffer);
789
        
790
4.48k
        if (!read_raw_value(stream, wire_type, buffer, &size))
791
129
            return false;
792
4.35k
        substream = pb_istream_from_buffer(buffer, size);
793
        
794
4.35k
        return field->descriptor->field_callback(&substream, NULL, field);
795
4.48k
    }
796
72.1k
}
797
798
static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *field)
799
1.43M
{
800
1.43M
#ifdef PB_ENABLE_MALLOC
801
    /* When decoding an oneof field, check if there is old data that must be
802
     * released first. */
803
1.43M
    if (PB_HTYPE(field->type) == PB_HTYPE_ONEOF)
804
72.8k
    {
805
72.8k
        if (!pb_release_union_field(stream, field))
806
0
            return false;
807
72.8k
    }
808
1.43M
#endif
809
810
1.43M
    switch (PB_ATYPE(field->type))
811
1.43M
    {
812
968k
        case PB_ATYPE_STATIC:
813
968k
            return decode_static_field(stream, wire_type, field);
814
        
815
392k
        case PB_ATYPE_POINTER:
816
392k
            return decode_pointer_field(stream, wire_type, field);
817
        
818
72.1k
        case PB_ATYPE_CALLBACK:
819
72.1k
            return decode_callback_field(stream, wire_type, field);
820
        
821
0
        default:
822
0
            PB_RETURN_ERROR(stream, "invalid field type");
823
1.43M
    }
824
1.43M
}
825
826
/* Default handler for extension fields. Expects to have a pb_msgdesc_t
827
 * pointer in the extension->type->arg field, pointing to a message with
828
 * only one field in it.  */
829
static bool checkreturn default_extension_decoder(pb_istream_t *stream,
830
    pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type)
831
7.63k
{
832
7.63k
    pb_field_iter_t iter;
833
834
7.63k
    if (!pb_field_iter_begin_extension(&iter, extension))
835
0
        PB_RETURN_ERROR(stream, "invalid extension");
836
837
7.63k
    if (iter.tag != tag || !iter.message)
838
6.59k
        return true;
839
840
1.03k
    extension->found = true;
841
1.03k
    return decode_field(stream, wire_type, &iter);
842
7.63k
}
843
844
/* Try to decode an unknown field as an extension field. Tries each extension
845
 * decoder in turn, until one of them handles the field or loop ends. */
846
static bool checkreturn decode_extension(pb_istream_t *stream,
847
    uint32_t tag, pb_wire_type_t wire_type, pb_extension_t *extension)
848
7.63k
{
849
7.63k
    size_t pos = stream->bytes_left;
850
    
851
15.1k
    while (extension != NULL && pos == stream->bytes_left)
852
7.63k
    {
853
7.63k
        bool status;
854
7.63k
        if (extension->type->decode)
855
0
            status = extension->type->decode(stream, extension, tag, wire_type);
856
7.63k
        else
857
7.63k
            status = default_extension_decoder(stream, extension, tag, wire_type);
858
859
7.63k
        if (!status)
860
88
            return false;
861
        
862
7.54k
        extension = extension->next;
863
7.54k
    }
864
    
865
7.54k
    return true;
866
7.63k
}
867
868
/* Initialize message fields to default values, recursively */
869
static bool pb_field_set_to_default(pb_field_iter_t *field)
870
1.41M
{
871
1.41M
    pb_type_t type;
872
1.41M
    type = field->type;
873
874
1.41M
    if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)
875
15.9k
    {
876
15.9k
        pb_extension_t *ext = *(pb_extension_t* const *)field->pData;
877
19.9k
        while (ext != NULL)
878
3.98k
        {
879
3.98k
            pb_field_iter_t ext_iter;
880
3.98k
            if (pb_field_iter_begin_extension(&ext_iter, ext))
881
3.98k
            {
882
3.98k
                ext->found = false;
883
3.98k
                if (!pb_message_set_to_defaults(&ext_iter))
884
0
                    return false;
885
3.98k
            }
886
3.98k
            ext = ext->next;
887
3.98k
        }
888
15.9k
    }
889
1.39M
    else if (PB_ATYPE(type) == PB_ATYPE_STATIC)
890
950k
    {
891
950k
        bool init_data = true;
892
950k
        if (PB_HTYPE(type) == PB_HTYPE_OPTIONAL && field->pSize != NULL)
893
274k
        {
894
            /* Set has_field to false. Still initialize the optional field
895
             * itself also. */
896
274k
            *(bool*)field->pSize = false;
897
274k
        }
898
675k
        else if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||
899
675k
                 PB_HTYPE(type) == PB_HTYPE_ONEOF)
900
206k
        {
901
            /* REPEATED: Set array count to 0, no need to initialize contents.
902
               ONEOF: Set which_field to 0. */
903
206k
            *(pb_size_t*)field->pSize = 0;
904
206k
            init_data = false;
905
206k
        }
906
907
950k
        if (init_data)
908
743k
        {
909
743k
            if (PB_LTYPE_IS_SUBMSG(field->type) &&
910
743k
                (field->submsg_desc->default_value != NULL ||
911
87.5k
                 field->submsg_desc->field_callback != NULL ||
912
87.5k
                 field->submsg_desc->submsg_info[0] != NULL))
913
35.8k
            {
914
                /* Initialize submessage to defaults.
915
                 * Only needed if it has default values
916
                 * or callback/submessage fields. */
917
35.8k
                pb_field_iter_t submsg_iter;
918
35.8k
                if (pb_field_iter_begin(&submsg_iter, field->submsg_desc, field->pData))
919
35.8k
                {
920
35.8k
                    if (!pb_message_set_to_defaults(&submsg_iter))
921
0
                        return false;
922
35.8k
                }
923
35.8k
            }
924
707k
            else
925
707k
            {
926
                /* Initialize to zeros */
927
707k
                memset(field->pData, 0, (size_t)field->data_size);
928
707k
            }
929
743k
        }
930
950k
    }
931
445k
    else if (PB_ATYPE(type) == PB_ATYPE_POINTER)
932
313k
    {
933
        /* Initialize the pointer to NULL. */
934
313k
        *(void**)field->pField = NULL;
935
936
        /* Initialize array count to 0. */
937
313k
        if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||
938
313k
            PB_HTYPE(type) == PB_HTYPE_ONEOF)
939
91.5k
        {
940
91.5k
            *(pb_size_t*)field->pSize = 0;
941
91.5k
        }
942
313k
    }
943
132k
    else if (PB_ATYPE(type) == PB_ATYPE_CALLBACK)
944
132k
    {
945
        /* Don't overwrite callback */
946
132k
    }
947
948
1.41M
    return true;
949
1.41M
}
950
951
static bool pb_message_set_to_defaults(pb_field_iter_t *iter)
952
94.1k
{
953
94.1k
    pb_istream_t defstream = PB_ISTREAM_EMPTY;
954
94.1k
    uint32_t tag = 0;
955
94.1k
    pb_wire_type_t wire_type = PB_WT_VARINT;
956
94.1k
    bool eof;
957
958
94.1k
    if (iter->descriptor->default_value)
959
71.6k
    {
960
71.6k
        defstream = pb_istream_from_buffer(iter->descriptor->default_value, (size_t)-1);
961
71.6k
        if (!pb_decode_tag(&defstream, &wire_type, &tag, &eof))
962
0
            return false;
963
71.6k
    }
964
965
94.1k
    do
966
1.41M
    {
967
1.41M
        if (!pb_field_set_to_default(iter))
968
0
            return false;
969
970
1.41M
        if (tag != 0 && iter->tag == tag)
971
452k
        {
972
            /* We have a default value for this field in the defstream */
973
452k
            if (!decode_field(&defstream, wire_type, iter))
974
0
                return false;
975
452k
            if (!pb_decode_tag(&defstream, &wire_type, &tag, &eof))
976
0
                return false;
977
978
452k
            if (iter->pSize)
979
250k
                *(bool*)iter->pSize = false;
980
452k
        }
981
1.41M
    } while (pb_field_iter_next(iter));
982
983
94.1k
    return true;
984
94.1k
}
985
986
/*********************
987
 * Decode all fields *
988
 *********************/
989
990
static bool checkreturn pb_decode_inner(pb_istream_t *stream, const pb_msgdesc_t *fields, void *dest_struct, unsigned int flags)
991
95.7k
{
992
95.7k
    uint32_t extension_range_start = 0;
993
95.7k
    pb_extension_t *extensions = NULL;
994
995
    /* 'fixed_count_field' and 'fixed_count_size' track position of a repeated fixed
996
     * count field. This can only handle _one_ repeated fixed count field that
997
     * is unpacked and unordered among other (non repeated fixed count) fields.
998
     */
999
95.7k
    pb_size_t fixed_count_field = PB_SIZE_MAX;
1000
95.7k
    pb_size_t fixed_count_size = 0;
1001
95.7k
    pb_size_t fixed_count_total_size = 0;
1002
1003
95.7k
    pb_fields_seen_t fields_seen = {{0, 0}};
1004
95.7k
    const uint32_t allbits = ~(uint32_t)0;
1005
95.7k
    pb_field_iter_t iter;
1006
1007
95.7k
    if (pb_field_iter_begin(&iter, fields, dest_struct))
1008
65.5k
    {
1009
65.5k
        if ((flags & PB_DECODE_NOINIT) == 0)
1010
31.5k
        {
1011
31.5k
            if (!pb_message_set_to_defaults(&iter))
1012
0
                PB_RETURN_ERROR(stream, "failed to set defaults");
1013
31.5k
        }
1014
65.5k
    }
1015
1016
1.14M
    while (stream->bytes_left)
1017
1.06M
    {
1018
1.06M
        uint32_t tag;
1019
1.06M
        pb_wire_type_t wire_type;
1020
1.06M
        bool eof;
1021
1022
1.06M
        if (!pb_decode_tag(stream, &wire_type, &tag, &eof))
1023
2.58k
        {
1024
2.58k
            if (eof)
1025
1.11k
                break;
1026
1.47k
            else
1027
1.47k
                return false;
1028
2.58k
        }
1029
1030
1.06M
        if (tag == 0)
1031
1.08k
        {
1032
1.08k
          if (flags & PB_DECODE_NULLTERMINATED)
1033
180
          {
1034
180
            break;
1035
180
          }
1036
900
          else
1037
900
          {
1038
900
            PB_RETURN_ERROR(stream, "zero tag");
1039
900
          }
1040
1.08k
        }
1041
1042
1.06M
        if (!pb_field_iter_find(&iter, tag) || PB_LTYPE(iter.type) == PB_LTYPE_EXTENSION)
1043
81.6k
        {
1044
            /* No match found, check if it matches an extension. */
1045
81.6k
            if (extension_range_start == 0)
1046
6.59k
            {
1047
6.59k
                if (pb_field_iter_find_extension(&iter))
1048
3.50k
                {
1049
3.50k
                    extensions = *(pb_extension_t* const *)iter.pData;
1050
3.50k
                    extension_range_start = iter.tag;
1051
3.50k
                }
1052
1053
6.59k
                if (!extensions)
1054
5.52k
                {
1055
5.52k
                    extension_range_start = (uint32_t)-1;
1056
5.52k
                }
1057
6.59k
            }
1058
1059
81.6k
            if (tag >= extension_range_start)
1060
7.63k
            {
1061
7.63k
                size_t pos = stream->bytes_left;
1062
1063
7.63k
                if (!decode_extension(stream, tag, wire_type, extensions))
1064
88
                    return false;
1065
1066
7.54k
                if (pos != stream->bytes_left)
1067
951
                {
1068
                    /* The field was handled */
1069
951
                    continue;
1070
951
                }
1071
7.54k
            }
1072
1073
            /* No match found, skip data */
1074
80.5k
            if (!pb_skip_field(stream, wire_type))
1075
2.08k
                return false;
1076
78.4k
            continue;
1077
80.5k
        }
1078
1079
        /* If a repeated fixed count field was found, get size from
1080
         * 'fixed_count_field' as there is no counter contained in the struct.
1081
         */
1082
979k
        if (PB_HTYPE(iter.type) == PB_HTYPE_REPEATED && iter.pSize == &iter.array_size)
1083
2.91k
        {
1084
2.91k
            if (fixed_count_field != iter.index) {
1085
                /* If the new fixed count field does not match the previous one,
1086
                 * check that the previous one is NULL or that it finished
1087
                 * receiving all the expected data.
1088
                 */
1089
1.01k
                if (fixed_count_field != PB_SIZE_MAX &&
1090
1.01k
                    fixed_count_size != fixed_count_total_size)
1091
35
                {
1092
35
                    PB_RETURN_ERROR(stream, "wrong size for fixed count field");
1093
35
                }
1094
1095
983
                fixed_count_field = iter.index;
1096
983
                fixed_count_size = 0;
1097
983
                fixed_count_total_size = iter.array_size;
1098
983
            }
1099
1100
2.88k
            iter.pSize = &fixed_count_size;
1101
2.88k
        }
1102
1103
979k
        if (PB_HTYPE(iter.type) == PB_HTYPE_REQUIRED
1104
979k
            && iter.required_field_index < PB_MAX_REQUIRED_FIELDS)
1105
861k
        {
1106
861k
            uint32_t tmp = ((uint32_t)1 << (iter.required_field_index & 31));
1107
861k
            fields_seen.bitfield[iter.required_field_index >> 5] |= tmp;
1108
861k
        }
1109
1110
979k
        if (!decode_field(stream, wire_type, &iter))
1111
12.2k
            return false;
1112
979k
    }
1113
1114
    /* Check that all elements of the last decoded fixed count field were present. */
1115
78.8k
    if (fixed_count_field != PB_SIZE_MAX &&
1116
78.8k
        fixed_count_size != fixed_count_total_size)
1117
49
    {
1118
49
        PB_RETURN_ERROR(stream, "wrong size for fixed count field");
1119
49
    }
1120
1121
    /* Check that all required fields were present. */
1122
78.8k
    {
1123
78.8k
        pb_size_t req_field_count = iter.descriptor->required_field_count;
1124
1125
78.8k
        if (req_field_count > 0)
1126
47.9k
        {
1127
47.9k
            pb_size_t i;
1128
1129
47.9k
            if (req_field_count > PB_MAX_REQUIRED_FIELDS)
1130
0
                req_field_count = PB_MAX_REQUIRED_FIELDS;
1131
1132
            /* Check the whole words */
1133
47.9k
            for (i = 0; i < (req_field_count >> 5); i++)
1134
0
            {
1135
0
                if (fields_seen.bitfield[i] != allbits)
1136
0
                    PB_RETURN_ERROR(stream, "missing required field");
1137
0
            }
1138
1139
            /* Check the remaining bits (if any) */
1140
47.9k
            if ((req_field_count & 31) != 0)
1141
47.9k
            {
1142
47.9k
                if (fields_seen.bitfield[req_field_count >> 5] !=
1143
47.9k
                    (allbits >> (uint_least8_t)(32 - (req_field_count & 31))))
1144
2.34k
                {
1145
2.34k
                    PB_RETURN_ERROR(stream, "missing required field");
1146
2.34k
                }
1147
47.9k
            }
1148
47.9k
        }
1149
78.8k
    }
1150
1151
76.4k
    return true;
1152
78.8k
}
1153
1154
bool checkreturn pb_decode_ex(pb_istream_t *stream, const pb_msgdesc_t *fields, void *dest_struct, unsigned int flags)
1155
7.96k
{
1156
7.96k
    bool status;
1157
1158
7.96k
    if ((flags & PB_DECODE_DELIMITED) == 0)
1159
3.98k
    {
1160
3.98k
      status = pb_decode_inner(stream, fields, dest_struct, flags);
1161
3.98k
    }
1162
3.98k
    else
1163
3.98k
    {
1164
3.98k
      pb_istream_t substream;
1165
3.98k
      if (!pb_make_string_substream(stream, &substream))
1166
2.78k
        return false;
1167
1168
1.19k
      status = pb_decode_inner(&substream, fields, dest_struct, flags);
1169
1170
1.19k
      if (!pb_close_string_substream(stream, &substream))
1171
0
        return false;
1172
1.19k
    }
1173
    
1174
5.17k
#ifdef PB_ENABLE_MALLOC
1175
5.17k
    if (!status)
1176
5.09k
        pb_release(fields, dest_struct);
1177
5.17k
#endif
1178
    
1179
5.17k
    return status;
1180
7.96k
}
1181
1182
bool checkreturn pb_decode(pb_istream_t *stream, const pb_msgdesc_t *fields, void *dest_struct)
1183
11.9k
{
1184
11.9k
    bool status;
1185
1186
11.9k
    status = pb_decode_inner(stream, fields, dest_struct, 0);
1187
1188
11.9k
#ifdef PB_ENABLE_MALLOC
1189
11.9k
    if (!status)
1190
11.8k
        pb_release(fields, dest_struct);
1191
11.9k
#endif
1192
1193
11.9k
    return status;
1194
11.9k
}
1195
1196
#ifdef PB_ENABLE_MALLOC
1197
/* Given an oneof field, if there has already been a field inside this oneof,
1198
 * release it before overwriting with a different one. */
1199
static bool pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *field)
1200
72.8k
{
1201
72.8k
    pb_field_iter_t old_field = *field;
1202
72.8k
    pb_size_t old_tag = *(pb_size_t*)field->pSize; /* Previous which_ value */
1203
72.8k
    pb_size_t new_tag = field->tag; /* New which_ value */
1204
1205
72.8k
    if (old_tag == 0)
1206
2.96k
        return true; /* Ok, no old data in union */
1207
1208
69.9k
    if (old_tag == new_tag)
1209
20.2k
        return true; /* Ok, old data is of same type => merge */
1210
1211
    /* Release old data. The find can fail if the message struct contains
1212
     * invalid data. */
1213
49.7k
    if (!pb_field_iter_find(&old_field, old_tag))
1214
0
        PB_RETURN_ERROR(stream, "invalid union tag");
1215
1216
49.7k
    pb_release_single_field(&old_field);
1217
1218
49.7k
    if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
1219
14.6k
    {
1220
        /* Initialize the pointer to NULL to make sure it is valid
1221
         * even in case of error return. */
1222
14.6k
        *(void**)field->pField = NULL;
1223
14.6k
        field->pData = NULL;
1224
14.6k
    }
1225
1226
49.7k
    return true;
1227
49.7k
}
1228
1229
static void pb_release_single_field(pb_field_iter_t *field)
1230
3.45M
{
1231
3.45M
    pb_type_t type;
1232
3.45M
    type = field->type;
1233
1234
3.45M
    if (PB_HTYPE(type) == PB_HTYPE_ONEOF)
1235
165k
    {
1236
165k
        if (*(pb_size_t*)field->pSize != field->tag)
1237
104k
            return; /* This is not the current field in the union */
1238
165k
    }
1239
1240
    /* Release anything contained inside an extension or submsg.
1241
     * This has to be done even if the submsg itself is statically
1242
     * allocated. */
1243
3.34M
    if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)
1244
36.8k
    {
1245
        /* Release fields from all extensions in the linked list */
1246
36.8k
        pb_extension_t *ext = *(pb_extension_t**)field->pData;
1247
49.9k
        while (ext != NULL)
1248
13.0k
        {
1249
13.0k
            pb_field_iter_t ext_iter;
1250
13.0k
            if (pb_field_iter_begin_extension(&ext_iter, ext))
1251
13.0k
            {
1252
13.0k
                pb_release_single_field(&ext_iter);
1253
13.0k
            }
1254
13.0k
            ext = ext->next;
1255
13.0k
        }
1256
36.8k
    }
1257
3.30M
    else if (PB_LTYPE_IS_SUBMSG(type) && PB_ATYPE(type) != PB_ATYPE_CALLBACK)
1258
393k
    {
1259
        /* Release fields in submessage or submsg array */
1260
393k
        pb_size_t count = 1;
1261
        
1262
393k
        if (PB_ATYPE(type) == PB_ATYPE_POINTER)
1263
96.5k
        {
1264
96.5k
            field->pData = *(void**)field->pField;
1265
96.5k
        }
1266
297k
        else
1267
297k
        {
1268
297k
            field->pData = field->pField;
1269
297k
        }
1270
        
1271
393k
        if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
1272
57.9k
        {
1273
57.9k
            count = *(pb_size_t*)field->pSize;
1274
1275
57.9k
            if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > field->array_size)
1276
144
            {
1277
                /* Protect against corrupted _count fields */
1278
144
                count = field->array_size;
1279
144
            }
1280
57.9k
        }
1281
        
1282
393k
        if (field->pData)
1283
323k
        {
1284
614k
            for (; count > 0; count--)
1285
291k
            {
1286
291k
                pb_release(field->submsg_desc, field->pData);
1287
291k
                field->pData = (char*)field->pData + field->data_size;
1288
291k
            }
1289
323k
        }
1290
393k
    }
1291
    
1292
3.34M
    if (PB_ATYPE(type) == PB_ATYPE_POINTER)
1293
591k
    {
1294
591k
        if (PB_HTYPE(type) == PB_HTYPE_REPEATED &&
1295
591k
            (PB_LTYPE(type) == PB_LTYPE_STRING ||
1296
167k
             PB_LTYPE(type) == PB_LTYPE_BYTES))
1297
15.9k
        {
1298
            /* Release entries in repeated string or bytes array */
1299
15.9k
            void **pItem = *(void***)field->pField;
1300
15.9k
            pb_size_t count = *(pb_size_t*)field->pSize;
1301
17.8k
            for (; count > 0; count--)
1302
1.94k
            {
1303
1.94k
                pb_free(*pItem);
1304
1.94k
                *pItem++ = NULL;
1305
1.94k
            }
1306
15.9k
        }
1307
        
1308
591k
        if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
1309
167k
        {
1310
            /* We are going to release the array, so set the size to 0 */
1311
167k
            *(pb_size_t*)field->pSize = 0;
1312
167k
        }
1313
        
1314
        /* Release main pointer */
1315
591k
        pb_free(*(void**)field->pField);
1316
591k
        *(void**)field->pField = NULL;
1317
591k
    }
1318
3.34M
}
1319
1320
void pb_release(const pb_msgdesc_t *fields, void *dest_struct)
1321
328k
{
1322
328k
    pb_field_iter_t iter;
1323
    
1324
328k
    if (!dest_struct)
1325
0
        return; /* Ignore NULL pointers, similar to free() */
1326
1327
328k
    if (!pb_field_iter_begin(&iter, fields, dest_struct))
1328
91.0k
        return; /* Empty message type */
1329
    
1330
237k
    do
1331
3.37M
    {
1332
3.37M
        pb_release_single_field(&iter);
1333
3.37M
    } while (pb_field_iter_next(&iter));
1334
237k
}
1335
#else
1336
void pb_release(const pb_msgdesc_t *fields, void *dest_struct)
1337
{
1338
    /* Nothing to release without PB_ENABLE_MALLOC. */
1339
    PB_UNUSED(fields);
1340
    PB_UNUSED(dest_struct);
1341
}
1342
#endif
1343
1344
/* Field decoders */
1345
1346
bool pb_decode_bool(pb_istream_t *stream, bool *dest)
1347
23.0k
{
1348
23.0k
    uint32_t value;
1349
23.0k
    if (!pb_decode_varint32(stream, &value))
1350
244
        return false;
1351
1352
22.8k
    *(bool*)dest = (value != 0);
1353
22.8k
    return true;
1354
23.0k
}
1355
1356
bool pb_decode_svarint(pb_istream_t *stream, pb_int64_t *dest)
1357
61.8k
{
1358
61.8k
    pb_uint64_t value;
1359
61.8k
    if (!pb_decode_varint(stream, &value))
1360
296
        return false;
1361
    
1362
61.5k
    if (value & 1)
1363
7.73k
        *dest = (pb_int64_t)(~(value >> 1));
1364
53.7k
    else
1365
53.7k
        *dest = (pb_int64_t)(value >> 1);
1366
    
1367
61.5k
    return true;
1368
61.8k
}
1369
1370
bool pb_decode_fixed32(pb_istream_t *stream, void *dest)
1371
187k
{
1372
187k
    union {
1373
187k
        uint32_t fixed32;
1374
187k
        pb_byte_t bytes[4];
1375
187k
    } u;
1376
1377
187k
    if (!pb_read(stream, u.bytes, 4))
1378
251
        return false;
1379
1380
#if defined(PB_LITTLE_ENDIAN_8BIT) && PB_LITTLE_ENDIAN_8BIT == 1
1381
    /* fast path - if we know that we're on little endian, assign directly */
1382
    *(uint32_t*)dest = u.fixed32;
1383
#else
1384
186k
    *(uint32_t*)dest = ((uint32_t)u.bytes[0] << 0) |
1385
186k
                       ((uint32_t)u.bytes[1] << 8) |
1386
186k
                       ((uint32_t)u.bytes[2] << 16) |
1387
186k
                       ((uint32_t)u.bytes[3] << 24);
1388
186k
#endif
1389
186k
    return true;
1390
187k
}
1391
1392
#ifndef PB_WITHOUT_64BIT
1393
bool pb_decode_fixed64(pb_istream_t *stream, void *dest)
1394
116k
{
1395
116k
    union {
1396
116k
        uint64_t fixed64;
1397
116k
        pb_byte_t bytes[8];
1398
116k
    } u;
1399
1400
116k
    if (!pb_read(stream, u.bytes, 8))
1401
260
        return false;
1402
1403
#if defined(PB_LITTLE_ENDIAN_8BIT) && PB_LITTLE_ENDIAN_8BIT == 1
1404
    /* fast path - if we know that we're on little endian, assign directly */
1405
    *(uint64_t*)dest = u.fixed64;
1406
#else
1407
116k
    *(uint64_t*)dest = ((uint64_t)u.bytes[0] << 0) |
1408
116k
                       ((uint64_t)u.bytes[1] << 8) |
1409
116k
                       ((uint64_t)u.bytes[2] << 16) |
1410
116k
                       ((uint64_t)u.bytes[3] << 24) |
1411
116k
                       ((uint64_t)u.bytes[4] << 32) |
1412
116k
                       ((uint64_t)u.bytes[5] << 40) |
1413
116k
                       ((uint64_t)u.bytes[6] << 48) |
1414
116k
                       ((uint64_t)u.bytes[7] << 56);
1415
116k
#endif
1416
116k
    return true;
1417
116k
}
1418
#endif
1419
1420
static bool checkreturn pb_dec_bool(pb_istream_t *stream, const pb_field_iter_t *field)
1421
23.0k
{
1422
23.0k
    return pb_decode_bool(stream, (bool*)field->pData);
1423
23.0k
}
1424
1425
static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_iter_t *field)
1426
828k
{
1427
828k
    if (PB_LTYPE(field->type) == PB_LTYPE_UVARINT)
1428
206k
    {
1429
206k
        pb_uint64_t value, clamped;
1430
206k
        if (!pb_decode_varint(stream, &value))
1431
344
            return false;
1432
1433
        /* Cast to the proper field size, while checking for overflows */
1434
206k
        if (field->data_size == sizeof(pb_uint64_t))
1435
107k
            clamped = *(pb_uint64_t*)field->pData = value;
1436
99.1k
        else if (field->data_size == sizeof(uint32_t))
1437
96.3k
            clamped = *(uint32_t*)field->pData = (uint32_t)value;
1438
2.83k
        else if (field->data_size == sizeof(uint_least16_t))
1439
1.34k
            clamped = *(uint_least16_t*)field->pData = (uint_least16_t)value;
1440
1.48k
        else if (field->data_size == sizeof(uint_least8_t))
1441
1.48k
            clamped = *(uint_least8_t*)field->pData = (uint_least8_t)value;
1442
0
        else
1443
0
            PB_RETURN_ERROR(stream, "invalid data_size");
1444
1445
206k
        if (clamped != value)
1446
297
            PB_RETURN_ERROR(stream, "integer too large");
1447
1448
206k
        return true;
1449
206k
    }
1450
621k
    else
1451
621k
    {
1452
621k
        pb_uint64_t value;
1453
621k
        pb_int64_t svalue;
1454
621k
        pb_int64_t clamped;
1455
1456
621k
        if (PB_LTYPE(field->type) == PB_LTYPE_SVARINT)
1457
61.8k
        {
1458
61.8k
            if (!pb_decode_svarint(stream, &svalue))
1459
296
                return false;
1460
61.8k
        }
1461
560k
        else
1462
560k
        {
1463
560k
            if (!pb_decode_varint(stream, &value))
1464
469
                return false;
1465
1466
            /* See issue 97: Google's C++ protobuf allows negative varint values to
1467
            * be cast as int32_t, instead of the int64_t that should be used when
1468
            * encoding. Nanopb versions before 0.2.5 had a bug in encoding. In order to
1469
            * not break decoding of such messages, we cast <=32 bit fields to
1470
            * int32_t first to get the sign correct.
1471
            */
1472
559k
            if (field->data_size == sizeof(pb_int64_t))
1473
345k
                svalue = (pb_int64_t)value;
1474
214k
            else
1475
214k
                svalue = (int32_t)value;
1476
559k
        }
1477
1478
        /* Cast to the proper field size, while checking for overflows */
1479
621k
        if (field->data_size == sizeof(pb_int64_t))
1480
373k
            clamped = *(pb_int64_t*)field->pData = svalue;
1481
248k
        else if (field->data_size == sizeof(int32_t))
1482
242k
            clamped = *(int32_t*)field->pData = (int32_t)svalue;
1483
5.08k
        else if (field->data_size == sizeof(int_least16_t))
1484
2.51k
            clamped = *(int_least16_t*)field->pData = (int_least16_t)svalue;
1485
2.56k
        else if (field->data_size == sizeof(int_least8_t))
1486
2.56k
            clamped = *(int_least8_t*)field->pData = (int_least8_t)svalue;
1487
0
        else
1488
0
            PB_RETURN_ERROR(stream, "invalid data_size");
1489
1490
621k
        if (clamped != svalue)
1491
289
            PB_RETURN_ERROR(stream, "integer too large");
1492
1493
620k
        return true;
1494
621k
    }
1495
828k
}
1496
1497
static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_iter_t *field)
1498
48.1k
{
1499
48.1k
    uint32_t size;
1500
48.1k
    size_t alloc_size;
1501
48.1k
    pb_bytes_array_t *dest;
1502
    
1503
48.1k
    if (!pb_decode_varint32(stream, &size))
1504
67
        return false;
1505
    
1506
48.0k
    if (size > PB_SIZE_MAX)
1507
103
        PB_RETURN_ERROR(stream, "bytes overflow");
1508
    
1509
47.9k
    alloc_size = PB_BYTES_ARRAY_T_ALLOCSIZE(size);
1510
47.9k
    if (size > alloc_size)
1511
0
        PB_RETURN_ERROR(stream, "size too large");
1512
    
1513
47.9k
    if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
1514
35.9k
    {
1515
#ifndef PB_ENABLE_MALLOC
1516
        PB_RETURN_ERROR(stream, "no malloc support");
1517
#else
1518
35.9k
        if (stream->bytes_left < size)
1519
0
            PB_RETURN_ERROR(stream, "end-of-stream");
1520
1521
35.9k
        if (!allocate_field(stream, field->pData, alloc_size, 1))
1522
33
            return false;
1523
35.9k
        dest = *(pb_bytes_array_t**)field->pData;
1524
35.9k
#endif
1525
35.9k
    }
1526
11.9k
    else
1527
11.9k
    {
1528
11.9k
        if (alloc_size > field->data_size)
1529
477
            PB_RETURN_ERROR(stream, "bytes overflow");
1530
11.4k
        dest = (pb_bytes_array_t*)field->pData;
1531
11.4k
    }
1532
1533
47.4k
    dest->size = (pb_size_t)size;
1534
47.4k
    return pb_read(stream, dest->bytes, (size_t)size);
1535
47.9k
}
1536
1537
static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_iter_t *field)
1538
74.8k
{
1539
74.8k
    uint32_t size;
1540
74.8k
    size_t alloc_size;
1541
74.8k
    pb_byte_t *dest = (pb_byte_t*)field->pData;
1542
1543
74.8k
    if (!pb_decode_varint32(stream, &size))
1544
111
        return false;
1545
1546
74.7k
    if (size == (uint32_t)-1)
1547
10
        PB_RETURN_ERROR(stream, "size too large");
1548
1549
    /* Space for null terminator */
1550
74.7k
    alloc_size = (size_t)(size + 1);
1551
1552
74.7k
    if (alloc_size < size)
1553
0
        PB_RETURN_ERROR(stream, "size too large");
1554
1555
74.7k
    if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
1556
18.9k
    {
1557
#ifndef PB_ENABLE_MALLOC
1558
        PB_RETURN_ERROR(stream, "no malloc support");
1559
#else
1560
18.9k
        if (stream->bytes_left < size)
1561
7
            PB_RETURN_ERROR(stream, "end-of-stream");
1562
1563
18.9k
        if (!allocate_field(stream, field->pData, alloc_size, 1))
1564
133
            return false;
1565
18.8k
        dest = *(pb_byte_t**)field->pData;
1566
18.8k
#endif
1567
18.8k
    }
1568
55.7k
    else
1569
55.7k
    {
1570
55.7k
        if (alloc_size > field->data_size)
1571
462
            PB_RETURN_ERROR(stream, "string overflow");
1572
55.7k
    }
1573
    
1574
74.1k
    dest[size] = 0;
1575
1576
74.1k
    if (!pb_read(stream, dest, (size_t)size))
1577
208
        return false;
1578
1579
#ifdef PB_VALIDATE_UTF8
1580
    if (!pb_validate_utf8((const char*)dest))
1581
        PB_RETURN_ERROR(stream, "invalid utf8");
1582
#endif
1583
1584
73.8k
    return true;
1585
74.1k
}
1586
1587
static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_iter_t *field)
1588
95.6k
{
1589
95.6k
    bool status = true;
1590
95.6k
    bool submsg_consumed = false;
1591
95.6k
    pb_istream_t substream;
1592
1593
95.6k
    if (!pb_make_string_substream(stream, &substream))
1594
2.14k
        return false;
1595
    
1596
93.5k
    if (field->submsg_desc == NULL)
1597
0
        PB_RETURN_ERROR(stream, "invalid field descriptor");
1598
    
1599
    /* Submessages can have a separate message-level callback that is called
1600
     * before decoding the message. Typically it is used to set callback fields
1601
     * inside oneofs. */
1602
93.5k
    if (PB_LTYPE(field->type) == PB_LTYPE_SUBMSG_W_CB && field->pSize != NULL)
1603
26.6k
    {
1604
        /* Message callback is stored right before pSize. */
1605
26.6k
        pb_callback_t *callback = (pb_callback_t*)field->pSize - 1;
1606
26.6k
        if (callback->funcs.decode)
1607
26.6k
        {
1608
26.6k
            status = callback->funcs.decode(&substream, field, &callback->arg);
1609
1610
26.6k
            if (substream.bytes_left == 0)
1611
14.8k
            {
1612
14.8k
                submsg_consumed = true;
1613
14.8k
            }
1614
26.6k
        }
1615
26.6k
    }
1616
1617
    /* Now decode the submessage contents */
1618
93.5k
    if (status && !submsg_consumed)
1619
78.6k
    {
1620
78.6k
        unsigned int flags = 0;
1621
1622
        /* Static required/optional fields are already initialized by top-level
1623
         * pb_decode(), no need to initialize them again. */
1624
78.6k
        if (PB_ATYPE(field->type) == PB_ATYPE_STATIC &&
1625
78.6k
            PB_HTYPE(field->type) != PB_HTYPE_REPEATED)
1626
44.7k
        {
1627
44.7k
            flags = PB_DECODE_NOINIT;
1628
44.7k
        }
1629
1630
78.6k
        status = pb_decode_inner(&substream, field->submsg_desc, field->pData, flags);
1631
78.6k
    }
1632
    
1633
93.5k
    if (!pb_close_string_substream(stream, &substream))
1634
916
        return false;
1635
1636
92.5k
    return status;
1637
93.5k
}
1638
1639
static bool checkreturn pb_dec_fixed_length_bytes(pb_istream_t *stream, const pb_field_iter_t *field)
1640
11.0k
{
1641
11.0k
    uint32_t size;
1642
1643
11.0k
    if (!pb_decode_varint32(stream, &size))
1644
11
        return false;
1645
1646
11.0k
    if (size > PB_SIZE_MAX)
1647
91
        PB_RETURN_ERROR(stream, "bytes overflow");
1648
1649
10.9k
    if (size == 0)
1650
1.99k
    {
1651
        /* As a special case, treat empty bytes string as all zeros for fixed_length_bytes. */
1652
1.99k
        memset(field->pData, 0, (size_t)field->data_size);
1653
1.99k
        return true;
1654
1.99k
    }
1655
1656
8.95k
    if (size != field->data_size)
1657
127
        PB_RETURN_ERROR(stream, "incorrect fixed length bytes size");
1658
1659
8.82k
    return pb_read(stream, (pb_byte_t*)field->pData, (size_t)field->data_size);
1660
8.95k
}
1661
1662
#ifdef PB_CONVERT_DOUBLE_FLOAT
1663
bool pb_decode_double_as_float(pb_istream_t *stream, float *dest)
1664
{
1665
    uint_least8_t sign;
1666
    int exponent;
1667
    uint32_t mantissa;
1668
    uint64_t value;
1669
    union { float f; uint32_t i; } out;
1670
1671
    if (!pb_decode_fixed64(stream, &value))
1672
        return false;
1673
1674
    /* Decompose input value */
1675
    sign = (uint_least8_t)((value >> 63) & 1);
1676
    exponent = (int)((value >> 52) & 0x7FF) - 1023;
1677
    mantissa = (value >> 28) & 0xFFFFFF; /* Highest 24 bits */
1678
1679
    /* Figure if value is in range representable by floats. */
1680
    if (exponent == 1024)
1681
    {
1682
        /* Special value */
1683
        exponent = 128;
1684
        mantissa >>= 1;
1685
    }
1686
    else
1687
    {
1688
        if (exponent > 127)
1689
        {
1690
            /* Too large, convert to infinity */
1691
            exponent = 128;
1692
            mantissa = 0;
1693
        }
1694
        else if (exponent < -150)
1695
        {
1696
            /* Too small, convert to zero */
1697
            exponent = -127;
1698
            mantissa = 0;
1699
        }
1700
        else if (exponent < -126)
1701
        {
1702
            /* Denormalized */
1703
            mantissa |= 0x1000000;
1704
            mantissa >>= (-126 - exponent);
1705
            exponent = -127;
1706
        }
1707
1708
        /* Round off mantissa */
1709
        mantissa = (mantissa + 1) >> 1;
1710
1711
        /* Check if mantissa went over 2.0 */
1712
        if (mantissa & 0x800000)
1713
        {
1714
            exponent += 1;
1715
            mantissa &= 0x7FFFFF;
1716
            mantissa >>= 1;
1717
        }
1718
    }
1719
1720
    /* Combine fields */
1721
    out.i = mantissa;
1722
    out.i |= (uint32_t)(exponent + 127) << 23;
1723
    out.i |= (uint32_t)sign << 31;
1724
1725
    *dest = out.f;
1726
    return true;
1727
}
1728
#endif