possible overflow bugs

[harryreps]

sml_parser/src/sml.cpp

Lines 90 to 93 in ca76a0a

	if (currentLevel < MAX_TREE_SIZE)
	currentLevel++;
	nodes[currentLevel] = size;
	SML_TREELOG(currentLevel, "LISTSTART on level %i with %i nodes\n",

Suppose currentLevel = MAX_TREE_SIZE - 1 at Line 90. Then, currentLevel = MAX_TREE_SIZE at Line 92, which leads to the following overflow bug.

==269918==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f11e4a at pc 0x000000558309 bp 0x7ffde1d4abf0 sp 0x7ffde1d4abe8
WRITE of size 1 at 0x000000f11e4a thread T0
    #0 0x558308 in smlNewList(unsigned char) /home/parallels/sml_parser/src/sml.cpp:92:23
    #1 0x558637 in checkMagicByte(unsigned char&) /home/parallels/sml_parser/src/sml.cpp:118:5
    #2 0x559c52 in smlState(unsigned char&) /home/parallels/sml_parser/src/sml.cpp:292:5

[harryreps]

sml_parser/src/sml.cpp

Lines 366 to 369 in ca76a0a

	for (y = 0; y < size; y++) {
	// left shift received bytes to 64 bit signed integer
	val = (val << 8) | listBuffer[i + y];
	}

i+y in the code above may overrun the global buffer listBuffer, leading the following bug

==271680==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f11dd0 at pc 0x00000055a750 bp 0x7fff25f2b3b0 sp 0x7fff25f2b3a8
READ of size 1 at 0x000000f11dd0 thread T0
    #0 0x55a74f in smlOBISByUnit(long long&, signed char&, sml_units_t) /home/parallels/sml_parser/src/sml.cpp:368:28
    #1 0x55a979 in smlOBISWh(double&) /home/parallels/sml_parser/src/sml.cpp:378:3

[harryreps]

sml_parser/src/sml.cpp

Lines 303 to 318 in ca76a0a

	void smlOBISManufacturer(unsigned char *str, int maxSize)
	{
	int i = 0, pos = 0, size = 0;
	while (i < listPos) {
	size = (int)listBuffer[i];
	i++;
	pos++;
	if (pos == 6) {
	/* get manufacturer at position 6 in list */
	size = (size > maxSize - 1) ? maxSize : size;
	memcpy(str, &listBuffer[i + 1], size);
	str[size + 1] = 0;
	}
	i += size + 1;
	}
	}

i+1 and size+1 at Lines 313 and 314 may overrun the buffer and lead to the following bug:

==272722==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f11cc6 at pc 0x000000559dcb bp 0x7ffc4eef20d0 sp 0x7ffc4eef20c8
WRITE of size 1 at 0x000000f11cc6 thread T0
    #0 0x559dca in smlOBISManufacturer(unsigned char*, int) /home/parallels/sml_parser/src/sml.cpp:314:21
    #1 0x557743 in Manufacturer() /home/parallels/sml_parser/src/main.cpp:15:23