1 /* pb_decode.c -- decode a protobuf using minimal resources
2  *
3  * 2011 Petteri Aimonen <jpa@kapsi.fi>
4  */
5 
6 /* Use the GCC warn_unused_result attribute to check that all return values
7  * are propagated correctly. On other compilers and gcc before 3.4.0 just
8  * ignore the annotation.
9  */
10 #if !defined(__GNUC__) || ( __GNUC__ < 3) || (__GNUC__ == 3 && __GNUC_MINOR__ < 4)
11     #define checkreturn
12 #else
13     #define checkreturn __attribute__((warn_unused_result))
14 #endif
15 
16 #include "pb.h"
17 #include "pb_decode.h"
18 #include "pb_common.h"
19 
20 /**************************************
21  * Declarations internal to this file *
22  **************************************/
23 
24 typedef bool (*pb_decoder_t)(pb_istream_t *stream, const pb_field_t *field, void *dest) checkreturn;
25 
26 static bool checkreturn buf_read(pb_istream_t *stream, pb_byte_t *buf, size_t count);
27 static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, pb_byte_t *buf, size_t *size);
28 static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter);
29 static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter);
30 static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter);
31 static void iter_from_extension(pb_field_iter_t *iter, pb_extension_t *extension);
32 static bool checkreturn default_extension_decoder(pb_istream_t *stream, pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type);
33 static bool checkreturn decode_extension(pb_istream_t *stream, uint32_t tag, pb_wire_type_t wire_type, pb_field_iter_t *iter);
34 static bool checkreturn find_extension_field(pb_field_iter_t *iter);
35 static void pb_field_set_to_default(pb_field_iter_t *iter);
36 static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_struct);
37 static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_t *field, void *dest);
38 static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof);
39 static bool checkreturn pb_dec_uvarint(pb_istream_t *stream, const pb_field_t *field, void *dest);
40 static bool checkreturn pb_dec_svarint(pb_istream_t *stream, const pb_field_t *field, void *dest);
41 static bool checkreturn pb_dec_fixed32(pb_istream_t *stream, const pb_field_t *field, void *dest);
42 static bool checkreturn pb_dec_fixed64(pb_istream_t *stream, const pb_field_t *field, void *dest);
43 static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest);
44 static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_t *field, void *dest);
45 static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_t *field, void *dest);
46 static bool checkreturn pb_dec_fixed_length_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest);
47 static bool checkreturn pb_skip_varint(pb_istream_t *stream);
48 static bool checkreturn pb_skip_string(pb_istream_t *stream);
49 
50 #ifdef PB_ENABLE_MALLOC
51 static bool checkreturn allocate_field(pb_istream_t *stream, void *pData, size_t data_size, size_t array_size);
52 static bool checkreturn pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *iter);
53 static void pb_release_single_field(const pb_field_iter_t *iter);
54 #endif
55 
56 #ifdef PB_WITHOUT_64BIT
57 #define pb_int64_t int32_t
58 #define pb_uint64_t uint32_t
59 #else
60 #define pb_int64_t int64_t
61 #define pb_uint64_t uint64_t
62 #endif
63 
64 /* --- Function pointers to field decoders ---
65  * Order in the array must match pb_action_t LTYPE numbering.
66  */
67 static const pb_decoder_t PB_DECODERS[PB_LTYPES_COUNT] = {
68     &pb_dec_varint,
69     &pb_dec_uvarint,
70     &pb_dec_svarint,
71     &pb_dec_fixed32,
72     &pb_dec_fixed64,
73 
74     &pb_dec_bytes,
75     &pb_dec_string,
76     &pb_dec_submessage,
77     NULL, /* extensions */
78     &pb_dec_fixed_length_bytes
79 };
80 
81 /*******************************
82  * pb_istream_t implementation *
83  *******************************/
84 
buf_read(pb_istream_t * stream,pb_byte_t * buf,size_t count)85 static bool checkreturn buf_read(pb_istream_t *stream, pb_byte_t *buf, size_t count)
86 {
87     size_t i;
88     const pb_byte_t *source = (const pb_byte_t*)stream->state;
89     stream->state = (pb_byte_t*)stream->state + count;
90 
91     if (buf != NULL)
92     {
93         for (i = 0; i < count; i++)
94             buf[i] = source[i];
95     }
96 
97     return true;
98 }
99 
pb_read(pb_istream_t * stream,pb_byte_t * buf,size_t count)100 bool checkreturn pb_read(pb_istream_t *stream, pb_byte_t *buf, size_t count)
101 {
102 #ifndef PB_BUFFER_ONLY
103 	if (buf == NULL && stream->callback != buf_read)
104 	{
105 		/* Skip input bytes */
106 		pb_byte_t tmp[16];
107 		while (count > 16)
108 		{
109 			if (!pb_read(stream, tmp, 16))
110 				return false;
111 
112 			count -= 16;
113 		}
114 
115 		return pb_read(stream, tmp, count);
116 	}
117 #endif
118 
119     if (stream->bytes_left < count)
120         PB_RETURN_ERROR(stream, "end-of-stream");
121 
122 #ifndef PB_BUFFER_ONLY
123     if (!stream->callback(stream, buf, count))
124         PB_RETURN_ERROR(stream, "io error");
125 #else
126     if (!buf_read(stream, buf, count))
127         return false;
128 #endif
129 
130     stream->bytes_left -= count;
131     return true;
132 }
133 
134 /* Read a single byte from input stream. buf may not be NULL.
135  * This is an optimization for the varint decoding. */
pb_readbyte(pb_istream_t * stream,pb_byte_t * buf)136 static bool checkreturn pb_readbyte(pb_istream_t *stream, pb_byte_t *buf)
137 {
138     if (stream->bytes_left == 0)
139         PB_RETURN_ERROR(stream, "end-of-stream");
140 
141 #ifndef PB_BUFFER_ONLY
142     if (!stream->callback(stream, buf, 1))
143         PB_RETURN_ERROR(stream, "io error");
144 #else
145     *buf = *(const pb_byte_t*)stream->state;
146     stream->state = (pb_byte_t*)stream->state + 1;
147 #endif
148 
149     stream->bytes_left--;
150 
151     return true;
152 }
153 
pb_istream_from_buffer(const pb_byte_t * buf,size_t bufsize)154 pb_istream_t pb_istream_from_buffer(const pb_byte_t *buf, size_t bufsize)
155 {
156     pb_istream_t stream;
157     /* Cast away the const from buf without a compiler error.  We are
158      * careful to use it only in a const manner in the callbacks.
159      */
160     union {
161         void *state;
162         const void *c_state;
163     } state;
164 #ifdef PB_BUFFER_ONLY
165     stream.callback = NULL;
166 #else
167     stream.callback = &buf_read;
168 #endif
169     state.c_state = buf;
170     stream.state = state.state;
171     stream.bytes_left = bufsize;
172 #ifndef PB_NO_ERRMSG
173     stream.errmsg = NULL;
174 #endif
175     return stream;
176 }
177 
178 /********************
179  * Helper functions *
180  ********************/
181 
pb_decode_varint32_eof(pb_istream_t * stream,uint32_t * dest,bool * eof)182 static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof)
183 {
184     pb_byte_t byte;
185     uint32_t result;
186 
187     if (!pb_readbyte(stream, &byte))
188     {
189         if (stream->bytes_left == 0)
190         {
191             if (eof)
192             {
193                 *eof = true;
194             }
195         }
196 
197         return false;
198     }
199 
200     if ((byte & 0x80) == 0)
201     {
202         /* Quick case, 1 byte value */
203         result = byte;
204     }
205     else
206     {
207         /* Multibyte case */
208         uint_fast8_t bitpos = 7;
209         result = byte & 0x7F;
210 
211         do
212         {
213             if (!pb_readbyte(stream, &byte))
214                 return false;
215 
216             if (bitpos >= 32)
217             {
218                 /* Note: The varint could have trailing 0x80 bytes, or 0xFF for negative. */
219                 uint8_t sign_extension = (bitpos < 63) ? 0xFF : 0x01;
220 
221                 if ((byte & 0x7F) != 0x00 && ((result >> 31) == 0 || byte != sign_extension))
222                 {
223                     PB_RETURN_ERROR(stream, "varint overflow");
224                 }
225             }
226             else
227             {
228                 result |= (uint32_t)(byte & 0x7F) << bitpos;
229             }
230             bitpos = (uint_fast8_t)(bitpos + 7);
231         } while (byte & 0x80);
232 
233         if (bitpos == 35 && (byte & 0x70) != 0)
234         {
235             /* The last byte was at bitpos=28, so only bottom 4 bits fit. */
236             PB_RETURN_ERROR(stream, "varint overflow");
237         }
238    }
239 
240    *dest = result;
241    return true;
242 }
243 
pb_decode_varint32(pb_istream_t * stream,uint32_t * dest)244 bool checkreturn pb_decode_varint32(pb_istream_t *stream, uint32_t *dest)
245 {
246     return pb_decode_varint32_eof(stream, dest, NULL);
247 }
248 
249 #ifndef PB_WITHOUT_64BIT
pb_decode_varint(pb_istream_t * stream,uint64_t * dest)250 bool checkreturn pb_decode_varint(pb_istream_t *stream, uint64_t *dest)
251 {
252     pb_byte_t byte;
253     uint_fast8_t bitpos = 0;
254     uint64_t result = 0;
255 
256     do
257     {
258         if (bitpos >= 64)
259             PB_RETURN_ERROR(stream, "varint overflow");
260 
261         if (!pb_readbyte(stream, &byte))
262             return false;
263 
264         result |= (uint64_t)(byte & 0x7F) << bitpos;
265         bitpos = (uint_fast8_t)(bitpos + 7);
266     } while (byte & 0x80);
267 
268     *dest = result;
269     return true;
270 }
271 #endif
272 
pb_skip_varint(pb_istream_t * stream)273 bool checkreturn pb_skip_varint(pb_istream_t *stream)
274 {
275     pb_byte_t byte;
276     do
277     {
278         if (!pb_read(stream, &byte, 1))
279             return false;
280     } while (byte & 0x80);
281     return true;
282 }
283 
pb_skip_string(pb_istream_t * stream)284 bool checkreturn pb_skip_string(pb_istream_t *stream)
285 {
286     uint32_t length;
287     if (!pb_decode_varint32(stream, &length))
288         return false;
289 
290     return pb_read(stream, NULL, length);
291 }
292 
pb_decode_tag(pb_istream_t * stream,pb_wire_type_t * wire_type,uint32_t * tag,bool * eof)293 bool checkreturn pb_decode_tag(pb_istream_t *stream, pb_wire_type_t *wire_type, uint32_t *tag, bool *eof)
294 {
295     uint32_t temp;
296     *eof = false;
297     *wire_type = (pb_wire_type_t) 0;
298     *tag = 0;
299 
300     if (!pb_decode_varint32_eof(stream, &temp, eof))
301     {
302         return false;
303     }
304 
305     if (temp == 0)
306     {
307         *eof = true; /* Special feature: allow 0-terminated messages. */
308         return false;
309     }
310 
311     *tag = temp >> 3;
312     *wire_type = (pb_wire_type_t)(temp & 7);
313     return true;
314 }
315 
pb_skip_field(pb_istream_t * stream,pb_wire_type_t wire_type)316 bool checkreturn pb_skip_field(pb_istream_t *stream, pb_wire_type_t wire_type)
317 {
318     switch (wire_type)
319     {
320         case PB_WT_VARINT: return pb_skip_varint(stream);
321         case PB_WT_64BIT: return pb_read(stream, NULL, 8);
322         case PB_WT_STRING: return pb_skip_string(stream);
323         case PB_WT_32BIT: return pb_read(stream, NULL, 4);
324         default: PB_RETURN_ERROR(stream, "invalid wire_type");
325     }
326 }
327 
328 /* Read a raw value to buffer, for the purpose of passing it to callback as
329  * a substream. Size is maximum size on call, and actual size on return.
330  */
read_raw_value(pb_istream_t * stream,pb_wire_type_t wire_type,pb_byte_t * buf,size_t * size)331 static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, pb_byte_t *buf, size_t *size)
332 {
333     size_t max_size = *size;
334     switch (wire_type)
335     {
336         case PB_WT_VARINT:
337             *size = 0;
338             do
339             {
340                 (*size)++;
341                 if (*size > max_size) return false;
342                 if (!pb_read(stream, buf, 1)) return false;
343             } while (*buf++ & 0x80);
344             return true;
345 
346         case PB_WT_64BIT:
347             *size = 8;
348             return pb_read(stream, buf, 8);
349 
350         case PB_WT_32BIT:
351             *size = 4;
352             return pb_read(stream, buf, 4);
353 
354         case PB_WT_STRING:
355             /* Calling read_raw_value with a PB_WT_STRING is an error.
356              * Explicitly handle this case and fallthrough to default to avoid
357              * compiler warnings.
358              */
359 
360         default: PB_RETURN_ERROR(stream, "invalid wire_type");
361     }
362 }
363 
364 /* Decode string length from stream and return a substream with limited length.
365  * Remember to close the substream using pb_close_string_substream().
366  */
pb_make_string_substream(pb_istream_t * stream,pb_istream_t * substream)367 bool checkreturn pb_make_string_substream(pb_istream_t *stream, pb_istream_t *substream)
368 {
369     uint32_t size;
370     if (!pb_decode_varint32(stream, &size))
371         return false;
372 
373     *substream = *stream;
374     if (substream->bytes_left < size)
375         PB_RETURN_ERROR(stream, "parent stream too short");
376 
377     substream->bytes_left = size;
378     stream->bytes_left -= size;
379     return true;
380 }
381 
pb_close_string_substream(pb_istream_t * stream,pb_istream_t * substream)382 bool checkreturn pb_close_string_substream(pb_istream_t *stream, pb_istream_t *substream)
383 {
384     if (substream->bytes_left) {
385         if (!pb_read(substream, NULL, substream->bytes_left))
386             return false;
387     }
388 
389     stream->state = substream->state;
390 
391 #ifndef PB_NO_ERRMSG
392     stream->errmsg = substream->errmsg;
393 #endif
394     return true;
395 }
396 
397 /*************************
398  * Decode a single field *
399  *************************/
400 
decode_static_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)401 static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
402 {
403     pb_type_t type;
404     pb_decoder_t func;
405 
406     type = iter->pos->type;
407     func = PB_DECODERS[PB_LTYPE(type)];
408 
409     switch (PB_HTYPE(type))
410     {
411         case PB_HTYPE_REQUIRED:
412             return func(stream, iter->pos, iter->pData);
413 
414         case PB_HTYPE_OPTIONAL:
415             if (iter->pSize != iter->pData)
416                 *(bool*)iter->pSize = true;
417             return func(stream, iter->pos, iter->pData);
418 
419         case PB_HTYPE_REPEATED:
420             if (wire_type == PB_WT_STRING
421                 && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)
422             {
423                 /* Packed array */
424                 bool status = true;
425                 pb_size_t *size = (pb_size_t*)iter->pSize;
426 
427                 pb_istream_t substream;
428                 if (!pb_make_string_substream(stream, &substream))
429                     return false;
430 
431                 while (substream.bytes_left > 0 && *size < iter->pos->array_size)
432                 {
433                     void *pItem = (char*)iter->pData + iter->pos->data_size * (*size);
434                     if (!func(&substream, iter->pos, pItem))
435                     {
436                         status = false;
437                         break;
438                     }
439                     (*size)++;
440                 }
441 
442                 if (substream.bytes_left != 0)
443                     PB_RETURN_ERROR(stream, "array overflow");
444                 if (!pb_close_string_substream(stream, &substream))
445                     return false;
446 
447                 return status;
448             }
449             else
450             {
451                 /* Repeated field */
452                 pb_size_t *size = (pb_size_t*)iter->pSize;
453                 char *pItem = (char*)iter->pData + iter->pos->data_size * (*size);
454 
455                 if ((*size)++ >= iter->pos->array_size)
456                     PB_RETURN_ERROR(stream, "array overflow");
457 
458                 return func(stream, iter->pos, pItem);
459             }
460 
461         case PB_HTYPE_ONEOF:
462             *(pb_size_t*)iter->pSize = iter->pos->tag;
463             if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE)
464             {
465                 /* We memset to zero so that any callbacks are set to NULL.
466                  * Then set any default values. */
467                 memset(iter->pData, 0, iter->pos->data_size);
468                 pb_message_set_to_defaults((const pb_field_t*)iter->pos->ptr, iter->pData);
469             }
470             return func(stream, iter->pos, iter->pData);
471 
472         default:
473             PB_RETURN_ERROR(stream, "invalid field type");
474     }
475 }
476 
477 #ifdef PB_ENABLE_MALLOC
478 /* Allocate storage for the field and store the pointer at iter->pData.
479  * array_size is the number of entries to reserve in an array.
480  * Zero size is not allowed, use pb_free() for releasing.
481  */
allocate_field(pb_istream_t * stream,void * pData,size_t data_size,size_t array_size)482 static bool checkreturn allocate_field(pb_istream_t *stream, void *pData, size_t data_size, size_t array_size)
483 {
484     void *ptr = *(void**)pData;
485 
486     if (data_size == 0 || array_size == 0)
487         PB_RETURN_ERROR(stream, "invalid size");
488 
489     /* Check for multiplication overflows.
490      * This code avoids the costly division if the sizes are small enough.
491      * Multiplication is safe as long as only half of bits are set
492      * in either multiplicand.
493      */
494     {
495         const size_t check_limit = (size_t)1 << (sizeof(size_t) * 4);
496         if (data_size >= check_limit || array_size >= check_limit)
497         {
498             const size_t size_max = (size_t)-1;
499             if (size_max / array_size < data_size)
500             {
501                 PB_RETURN_ERROR(stream, "size too large");
502             }
503         }
504     }
505 
506     /* Allocate new or expand previous allocation */
507     /* Note: on failure the old pointer will remain in the structure,
508      * the message must be freed by caller also on error return. */
509     ptr = pb_realloc(ptr, array_size * data_size);
510     if (ptr == NULL)
511         PB_RETURN_ERROR(stream, "realloc failed");
512 
513     *(void**)pData = ptr;
514     return true;
515 }
516 
517 /* Clear a newly allocated item in case it contains a pointer, or is a submessage. */
initialize_pointer_field(void * pItem,pb_field_iter_t * iter)518 static void initialize_pointer_field(void *pItem, pb_field_iter_t *iter)
519 {
520     if (PB_LTYPE(iter->pos->type) == PB_LTYPE_STRING ||
521         PB_LTYPE(iter->pos->type) == PB_LTYPE_BYTES)
522     {
523         *(void**)pItem = NULL;
524     }
525     else if (PB_LTYPE(iter->pos->type) == PB_LTYPE_SUBMESSAGE)
526     {
527         /* We memset to zero so that any callbacks are set to NULL.
528          * Then set any default values. */
529         memset(pItem, 0, iter->pos->data_size);
530         pb_message_set_to_defaults((const pb_field_t *) iter->pos->ptr, pItem);
531     }
532 }
533 #endif
534 
decode_pointer_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)535 static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
536 {
537 #ifndef PB_ENABLE_MALLOC
538     PB_UNUSED(wire_type);
539     PB_UNUSED(iter);
540     PB_RETURN_ERROR(stream, "no malloc support");
541 #else
542     pb_type_t type;
543     pb_decoder_t func;
544 
545     type = iter->pos->type;
546     func = PB_DECODERS[PB_LTYPE(type)];
547 
548     switch (PB_HTYPE(type))
549     {
550         case PB_HTYPE_REQUIRED:
551         case PB_HTYPE_OPTIONAL:
552         case PB_HTYPE_ONEOF:
553             if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&
554                 *(void**)iter->pData != NULL)
555             {
556                 /* Duplicate field, have to release the old allocation first. */
557                 pb_release_single_field(iter);
558             }
559 
560             if (PB_HTYPE(type) == PB_HTYPE_ONEOF)
561             {
562                 *(pb_size_t*)iter->pSize = iter->pos->tag;
563             }
564 
565             if (PB_LTYPE(type) == PB_LTYPE_STRING ||
566                 PB_LTYPE(type) == PB_LTYPE_BYTES)
567             {
568                 return func(stream, iter->pos, iter->pData);
569             }
570             else
571             {
572                 if (!allocate_field(stream, iter->pData, iter->pos->data_size, 1))
573                     return false;
574 
575                 initialize_pointer_field(*(void**)iter->pData, iter);
576                 return func(stream, iter->pos, *(void**)iter->pData);
577             }
578 
579         case PB_HTYPE_REPEATED:
580             if (wire_type == PB_WT_STRING
581                 && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)
582             {
583                 /* Packed array, multiple items come in at once. */
584                 bool status = true;
585                 pb_size_t *size = (pb_size_t*)iter->pSize;
586                 size_t allocated_size = *size;
587                 void *pItem;
588                 pb_istream_t substream;
589 
590                 if (!pb_make_string_substream(stream, &substream))
591                     return false;
592 
593                 while (substream.bytes_left)
594                 {
595                     if ((size_t)*size + 1 > allocated_size)
596                     {
597                         /* Allocate more storage. This tries to guess the
598                          * number of remaining entries. Round the division
599                          * upwards. */
600                         allocated_size += (substream.bytes_left - 1) / iter->pos->data_size + 1;
601 
602                         if (!allocate_field(&substream, iter->pData, iter->pos->data_size, allocated_size))
603                         {
604                             status = false;
605                             break;
606                         }
607                     }
608 
609                     /* Decode the array entry */
610                     pItem = *(char**)iter->pData + iter->pos->data_size * (*size);
611                     initialize_pointer_field(pItem, iter);
612                     if (!func(&substream, iter->pos, pItem))
613                     {
614                         status = false;
615                         break;
616                     }
617 
618                     if (*size == PB_SIZE_MAX)
619                     {
620 #ifndef PB_NO_ERRMSG
621                         stream->errmsg = "too many array entries";
622 #endif
623                         status = false;
624                         break;
625                     }
626 
627                     (*size)++;
628                 }
629                 if (!pb_close_string_substream(stream, &substream))
630                     return false;
631 
632                 return status;
633             }
634             else
635             {
636                 /* Normal repeated field, i.e. only one item at a time. */
637                 pb_size_t *size = (pb_size_t*)iter->pSize;
638                 void *pItem;
639 
640                 if (*size == PB_SIZE_MAX)
641                     PB_RETURN_ERROR(stream, "too many array entries");
642 
643                 (*size)++;
644                 if (!allocate_field(stream, iter->pData, iter->pos->data_size, *size))
645                     return false;
646 
647                 pItem = *(char**)iter->pData + iter->pos->data_size * (*size - 1);
648                 initialize_pointer_field(pItem, iter);
649                 return func(stream, iter->pos, pItem);
650             }
651 
652         default:
653             PB_RETURN_ERROR(stream, "invalid field type");
654     }
655 #endif
656 }
657 
decode_callback_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)658 static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
659 {
660     pb_callback_t *pCallback = (pb_callback_t*)iter->pData;
661 
662 #ifdef PB_OLD_CALLBACK_STYLE
663     void *arg = pCallback->arg;
664 #else
665     void **arg = &(pCallback->arg);
666 #endif
667 
668     if (pCallback == NULL || pCallback->funcs.decode == NULL)
669         return pb_skip_field(stream, wire_type);
670 
671     if (wire_type == PB_WT_STRING)
672     {
673         pb_istream_t substream;
674 
675         if (!pb_make_string_substream(stream, &substream))
676             return false;
677 
678         do
679         {
680             if (!pCallback->funcs.decode(&substream, iter->pos, arg))
681                 PB_RETURN_ERROR(stream, "callback failed");
682         } while (substream.bytes_left);
683 
684         if (!pb_close_string_substream(stream, &substream))
685             return false;
686 
687         return true;
688     }
689     else
690     {
691         /* Copy the single scalar value to stack.
692          * This is required so that we can limit the stream length,
693          * which in turn allows to use same callback for packed and
694          * not-packed fields. */
695         pb_istream_t substream;
696         pb_byte_t buffer[10];
697         size_t size = sizeof(buffer);
698 
699         if (!read_raw_value(stream, wire_type, buffer, &size))
700             return false;
701         substream = pb_istream_from_buffer(buffer, size);
702 
703         return pCallback->funcs.decode(&substream, iter->pos, arg);
704     }
705 }
706 
decode_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)707 static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
708 {
709 #ifdef PB_ENABLE_MALLOC
710     /* When decoding an oneof field, check if there is old data that must be
711      * released first. */
712     if (PB_HTYPE(iter->pos->type) == PB_HTYPE_ONEOF)
713     {
714         if (!pb_release_union_field(stream, iter))
715             return false;
716     }
717 #endif
718 
719     switch (PB_ATYPE(iter->pos->type))
720     {
721         case PB_ATYPE_STATIC:
722             return decode_static_field(stream, wire_type, iter);
723 
724         case PB_ATYPE_POINTER:
725             return decode_pointer_field(stream, wire_type, iter);
726 
727         case PB_ATYPE_CALLBACK:
728             return decode_callback_field(stream, wire_type, iter);
729 
730         default:
731             PB_RETURN_ERROR(stream, "invalid field type");
732     }
733 }
734 
iter_from_extension(pb_field_iter_t * iter,pb_extension_t * extension)735 static void iter_from_extension(pb_field_iter_t *iter, pb_extension_t *extension)
736 {
737     /* Fake a field iterator for the extension field.
738      * It is not actually safe to advance this iterator, but decode_field
739      * will not even try to. */
740     const pb_field_t *field = (const pb_field_t*)extension->type->arg;
741     (void)pb_field_iter_begin(iter, field, extension->dest);
742     iter->pData = extension->dest;
743     iter->pSize = &extension->found;
744 
745     if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
746     {
747         /* For pointer extensions, the pointer is stored directly
748          * in the extension structure. This avoids having an extra
749          * indirection. */
750         iter->pData = &extension->dest;
751     }
752 }
753 
754 /* Default handler for extension fields. Expects a pb_field_t structure
755  * in extension->type->arg. */
default_extension_decoder(pb_istream_t * stream,pb_extension_t * extension,uint32_t tag,pb_wire_type_t wire_type)756 static bool checkreturn default_extension_decoder(pb_istream_t *stream,
757     pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type)
758 {
759     const pb_field_t *field = (const pb_field_t*)extension->type->arg;
760     pb_field_iter_t iter;
761 
762     if (field->tag != tag)
763         return true;
764 
765     iter_from_extension(&iter, extension);
766     extension->found = true;
767     return decode_field(stream, wire_type, &iter);
768 }
769 
770 /* Try to decode an unknown field as an extension field. Tries each extension
771  * decoder in turn, until one of them handles the field or loop ends. */
decode_extension(pb_istream_t * stream,uint32_t tag,pb_wire_type_t wire_type,pb_field_iter_t * iter)772 static bool checkreturn decode_extension(pb_istream_t *stream,
773     uint32_t tag, pb_wire_type_t wire_type, pb_field_iter_t *iter)
774 {
775     pb_extension_t *extension = *(pb_extension_t* const *)iter->pData;
776     size_t pos = stream->bytes_left;
777 
778     while (extension != NULL && pos == stream->bytes_left)
779     {
780         bool status;
781         if (extension->type->decode)
782             status = extension->type->decode(stream, extension, tag, wire_type);
783         else
784             status = default_extension_decoder(stream, extension, tag, wire_type);
785 
786         if (!status)
787             return false;
788 
789         extension = extension->next;
790     }
791 
792     return true;
793 }
794 
795 /* Step through the iterator until an extension field is found or until all
796  * entries have been checked. There can be only one extension field per
797  * message. Returns false if no extension field is found. */
find_extension_field(pb_field_iter_t * iter)798 static bool checkreturn find_extension_field(pb_field_iter_t *iter)
799 {
800     const pb_field_t *start = iter->pos;
801 
802     do {
803         if (PB_LTYPE(iter->pos->type) == PB_LTYPE_EXTENSION)
804             return true;
805         (void)pb_field_iter_next(iter);
806     } while (iter->pos != start);
807 
808     return false;
809 }
810 
811 /* Initialize message fields to default values, recursively */
pb_field_set_to_default(pb_field_iter_t * iter)812 static void pb_field_set_to_default(pb_field_iter_t *iter)
813 {
814     pb_type_t type;
815     type = iter->pos->type;
816 
817     if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)
818     {
819         pb_extension_t *ext = *(pb_extension_t* const *)iter->pData;
820         while (ext != NULL)
821         {
822             pb_field_iter_t ext_iter;
823             ext->found = false;
824             iter_from_extension(&ext_iter, ext);
825             pb_field_set_to_default(&ext_iter);
826             ext = ext->next;
827         }
828     }
829     else if (PB_ATYPE(type) == PB_ATYPE_STATIC)
830     {
831         bool init_data = true;
832         if (PB_HTYPE(type) == PB_HTYPE_OPTIONAL && iter->pSize != iter->pData)
833         {
834             /* Set has_field to false. Still initialize the optional field
835              * itself also. */
836             *(bool*)iter->pSize = false;
837         }
838         else if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||
839                  PB_HTYPE(type) == PB_HTYPE_ONEOF)
840         {
841             /* REPEATED: Set array count to 0, no need to initialize contents.
842                ONEOF: Set which_field to 0. */
843             *(pb_size_t*)iter->pSize = 0;
844             init_data = false;
845         }
846 
847         if (init_data)
848         {
849             if (PB_LTYPE(iter->pos->type) == PB_LTYPE_SUBMESSAGE)
850             {
851                 /* Initialize submessage to defaults */
852                 pb_message_set_to_defaults((const pb_field_t *) iter->pos->ptr, iter->pData);
853             }
854             else if (iter->pos->ptr != NULL)
855             {
856                 /* Initialize to default value */
857                 memcpy(iter->pData, iter->pos->ptr, iter->pos->data_size);
858             }
859             else
860             {
861                 /* Initialize to zeros */
862                 memset(iter->pData, 0, iter->pos->data_size);
863             }
864         }
865     }
866     else if (PB_ATYPE(type) == PB_ATYPE_POINTER)
867     {
868         /* Initialize the pointer to NULL. */
869         *(void**)iter->pData = NULL;
870 
871         /* Initialize array count to 0. */
872         if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||
873             PB_HTYPE(type) == PB_HTYPE_ONEOF)
874         {
875             *(pb_size_t*)iter->pSize = 0;
876         }
877     }
878     else if (PB_ATYPE(type) == PB_ATYPE_CALLBACK)
879     {
880         /* Don't overwrite callback */
881     }
882 }
883 
pb_message_set_to_defaults(const pb_field_t fields[],void * dest_struct)884 static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_struct)
885 {
886     pb_field_iter_t iter;
887 
888     if (!pb_field_iter_begin(&iter, fields, dest_struct))
889         return; /* Empty message type */
890 
891     do
892     {
893         pb_field_set_to_default(&iter);
894     } while (pb_field_iter_next(&iter));
895 }
896 
897 /*********************
898  * Decode all fields *
899  *********************/
900 
pb_decode_noinit(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)901 bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
902 {
903     uint32_t fields_seen[(PB_MAX_REQUIRED_FIELDS + 31) / 32] = {0, 0};
904     const uint32_t allbits = ~(uint32_t)0;
905     uint32_t extension_range_start = 0;
906     pb_field_iter_t iter;
907 
908     /* 'fixed_count_field' and 'fixed_count_size' track position of a repeated fixed
909      * count field. This can only handle _one_ repeated fixed count field that
910      * is unpacked and unordered among other (non repeated fixed count) fields.
911      */
912     const pb_field_t *fixed_count_field = NULL;
913     pb_size_t fixed_count_size = 0;
914 
915     /* Return value ignored, as empty message types will be correctly handled by
916      * pb_field_iter_find() anyway. */
917     (void)pb_field_iter_begin(&iter, fields, dest_struct);
918 
919     while (stream->bytes_left)
920     {
921         uint32_t tag;
922         pb_wire_type_t wire_type;
923         bool eof;
924 
925         if (!pb_decode_tag(stream, &wire_type, &tag, &eof))
926         {
927             if (eof)
928                 break;
929             else
930                 return false;
931         }
932 
933         if (!pb_field_iter_find(&iter, tag))
934         {
935             /* No match found, check if it matches an extension. */
936             if (tag >= extension_range_start)
937             {
938                 if (!find_extension_field(&iter))
939                     extension_range_start = (uint32_t)-1;
940                 else
941                     extension_range_start = iter.pos->tag;
942 
943                 if (tag >= extension_range_start)
944                 {
945                     size_t pos = stream->bytes_left;
946 
947                     if (!decode_extension(stream, tag, wire_type, &iter))
948                         return false;
949 
950                     if (pos != stream->bytes_left)
951                     {
952                         /* The field was handled */
953                         continue;
954                     }
955                 }
956             }
957 
958             /* No match found, skip data */
959             if (!pb_skip_field(stream, wire_type))
960                 return false;
961             continue;
962         }
963 
964         /* If a repeated fixed count field was found, get size from
965          * 'fixed_count_field' as there is no counter contained in the struct.
966          */
967         if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REPEATED
968             && iter.pSize == iter.pData)
969         {
970             if (fixed_count_field != iter.pos) {
971                 /* If the new fixed count field does not match the previous one,
972                  * check that the previous one is NULL or that it finished
973                  * receiving all the expected data.
974                  */
975                 if (fixed_count_field != NULL &&
976                     fixed_count_size != fixed_count_field->array_size)
977                 {
978                     PB_RETURN_ERROR(stream, "wrong size for fixed count field");
979                 }
980 
981                 fixed_count_field = iter.pos;
982                 fixed_count_size = 0;
983             }
984 
985             iter.pSize = &fixed_count_size;
986         }
987 
988         if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REQUIRED
989             && iter.required_field_index < PB_MAX_REQUIRED_FIELDS)
990         {
991             uint32_t tmp = ((uint32_t)1 << (iter.required_field_index & 31));
992             fields_seen[iter.required_field_index >> 5] |= tmp;
993         }
994 
995         if (!decode_field(stream, wire_type, &iter))
996             return false;
997     }
998 
999     /* Check that all elements of the last decoded fixed count field were present. */
1000     if (fixed_count_field != NULL &&
1001         fixed_count_size != fixed_count_field->array_size)
1002     {
1003         PB_RETURN_ERROR(stream, "wrong size for fixed count field");
1004     }
1005 
1006     /* Check that all required fields were present. */
1007     {
1008         /* First figure out the number of required fields by
1009          * seeking to the end of the field array. Usually we
1010          * are already close to end after decoding.
1011          */
1012         unsigned req_field_count;
1013         pb_type_t last_type;
1014         unsigned i;
1015         do {
1016             req_field_count = iter.required_field_index;
1017             last_type = iter.pos->type;
1018         } while (pb_field_iter_next(&iter));
1019 
1020         /* Fixup if last field was also required. */
1021         if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0)
1022             req_field_count++;
1023 
1024         if (req_field_count > PB_MAX_REQUIRED_FIELDS)
1025             req_field_count = PB_MAX_REQUIRED_FIELDS;
1026 
1027         if (req_field_count > 0)
1028         {
1029             /* Check the whole words */
1030             for (i = 0; i < (req_field_count >> 5); i++)
1031             {
1032                 if (fields_seen[i] != allbits)
1033                     PB_RETURN_ERROR(stream, "missing required field");
1034             }
1035 
1036             /* Check the remaining bits (if any) */
1037             if ((req_field_count & 31) != 0)
1038             {
1039                 if (fields_seen[req_field_count >> 5] !=
1040                     (allbits >> (32 - (req_field_count & 31))))
1041                 {
1042                     PB_RETURN_ERROR(stream, "missing required field");
1043                 }
1044             }
1045         }
1046     }
1047 
1048     return true;
1049 }
1050 
pb_decode(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1051 bool checkreturn pb_decode(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1052 {
1053     bool status;
1054     pb_message_set_to_defaults(fields, dest_struct);
1055     status = pb_decode_noinit(stream, fields, dest_struct);
1056 
1057 #ifdef PB_ENABLE_MALLOC
1058     if (!status)
1059         pb_release(fields, dest_struct);
1060 #endif
1061 
1062     return status;
1063 }
1064 
pb_decode_delimited_noinit(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1065 bool pb_decode_delimited_noinit(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1066 {
1067     pb_istream_t substream;
1068     bool status;
1069 
1070     if (!pb_make_string_substream(stream, &substream))
1071         return false;
1072 
1073     status = pb_decode_noinit(&substream, fields, dest_struct);
1074 
1075     if (!pb_close_string_substream(stream, &substream))
1076         return false;
1077     return status;
1078 }
1079 
pb_decode_delimited(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1080 bool pb_decode_delimited(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1081 {
1082     pb_istream_t substream;
1083     bool status;
1084 
1085     if (!pb_make_string_substream(stream, &substream))
1086         return false;
1087 
1088     status = pb_decode(&substream, fields, dest_struct);
1089 
1090     if (!pb_close_string_substream(stream, &substream))
1091         return false;
1092     return status;
1093 }
1094 
pb_decode_nullterminated(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1095 bool pb_decode_nullterminated(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1096 {
1097     /* This behaviour will be separated in nanopb-0.4.0, see issue #278. */
1098     return pb_decode(stream, fields, dest_struct);
1099 }
1100 
1101 #ifdef PB_ENABLE_MALLOC
1102 /* Given an oneof field, if there has already been a field inside this oneof,
1103  * release it before overwriting with a different one. */
pb_release_union_field(pb_istream_t * stream,pb_field_iter_t * iter)1104 static bool pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *iter)
1105 {
1106     pb_size_t old_tag = *(pb_size_t*)iter->pSize; /* Previous which_ value */
1107     pb_size_t new_tag = iter->pos->tag; /* New which_ value */
1108 
1109     if (old_tag == 0)
1110         return true; /* Ok, no old data in union */
1111 
1112     if (old_tag == new_tag)
1113         return true; /* Ok, old data is of same type => merge */
1114 
1115     /* Release old data. The find can fail if the message struct contains
1116      * invalid data. */
1117     if (!pb_field_iter_find(iter, old_tag))
1118         PB_RETURN_ERROR(stream, "invalid union tag");
1119 
1120     pb_release_single_field(iter);
1121 
1122     /* Restore iterator to where it should be.
1123      * This shouldn't fail unless the pb_field_t structure is corrupted. */
1124     if (!pb_field_iter_find(iter, new_tag))
1125         PB_RETURN_ERROR(stream, "iterator error");
1126 
1127     return true;
1128 }
1129 
pb_release_single_field(const pb_field_iter_t * iter)1130 static void pb_release_single_field(const pb_field_iter_t *iter)
1131 {
1132     pb_type_t type;
1133     type = iter->pos->type;
1134 
1135     if (PB_HTYPE(type) == PB_HTYPE_ONEOF)
1136     {
1137         if (*(pb_size_t*)iter->pSize != iter->pos->tag)
1138             return; /* This is not the current field in the union */
1139     }
1140 
1141     /* Release anything contained inside an extension or submsg.
1142      * This has to be done even if the submsg itself is statically
1143      * allocated. */
1144     if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)
1145     {
1146         /* Release fields from all extensions in the linked list */
1147         pb_extension_t *ext = *(pb_extension_t**)iter->pData;
1148         while (ext != NULL)
1149         {
1150             pb_field_iter_t ext_iter;
1151             iter_from_extension(&ext_iter, ext);
1152             pb_release_single_field(&ext_iter);
1153             ext = ext->next;
1154         }
1155     }
1156     else if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE)
1157     {
1158         /* Release fields in submessage or submsg array */
1159         void *pItem = iter->pData;
1160         pb_size_t count = 1;
1161 
1162         if (PB_ATYPE(type) == PB_ATYPE_POINTER)
1163         {
1164             pItem = *(void**)iter->pData;
1165         }
1166 
1167         if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
1168         {
1169             if (PB_ATYPE(type) == PB_ATYPE_STATIC && iter->pSize == iter->pData) {
1170                 /* No _count field so use size of the array */
1171                 count = iter->pos->array_size;
1172             } else {
1173                 count = *(pb_size_t*)iter->pSize;
1174             }
1175 
1176             if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)
1177             {
1178                 /* Protect against corrupted _count fields */
1179                 count = iter->pos->array_size;
1180             }
1181         }
1182 
1183         if (pItem)
1184         {
1185             while (count--)
1186             {
1187                 pb_release((const pb_field_t*)iter->pos->ptr, pItem);
1188                 pItem = (char*)pItem + iter->pos->data_size;
1189             }
1190         }
1191     }
1192 
1193     if (PB_ATYPE(type) == PB_ATYPE_POINTER)
1194     {
1195         if (PB_HTYPE(type) == PB_HTYPE_REPEATED &&
1196             (PB_LTYPE(type) == PB_LTYPE_STRING ||
1197              PB_LTYPE(type) == PB_LTYPE_BYTES))
1198         {
1199             /* Release entries in repeated string or bytes array */
1200             void **pItem = *(void***)iter->pData;
1201             pb_size_t count = *(pb_size_t*)iter->pSize;
1202             while (count--)
1203             {
1204                 pb_free(*pItem);
1205                 *pItem++ = NULL;
1206             }
1207         }
1208 
1209         if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
1210         {
1211             /* We are going to release the array, so set the size to 0 */
1212             *(pb_size_t*)iter->pSize = 0;
1213         }
1214 
1215         /* Release main item */
1216         pb_free(*(void**)iter->pData);
1217         *(void**)iter->pData = NULL;
1218     }
1219 }
1220 
pb_release(const pb_field_t fields[],void * dest_struct)1221 void pb_release(const pb_field_t fields[], void *dest_struct)
1222 {
1223     pb_field_iter_t iter;
1224 
1225     if (!dest_struct)
1226         return; /* Ignore NULL pointers, similar to free() */
1227 
1228     if (!pb_field_iter_begin(&iter, fields, dest_struct))
1229         return; /* Empty message type */
1230 
1231     do
1232     {
1233         pb_release_single_field(&iter);
1234     } while (pb_field_iter_next(&iter));
1235 }
1236 #endif
1237 
1238 /* Field decoders */
1239 
pb_decode_svarint(pb_istream_t * stream,pb_int64_t * dest)1240 bool pb_decode_svarint(pb_istream_t *stream, pb_int64_t *dest)
1241 {
1242     pb_uint64_t value;
1243     if (!pb_decode_varint(stream, &value))
1244         return false;
1245 
1246     if (value & 1)
1247         *dest = (pb_int64_t)(~(value >> 1));
1248     else
1249         *dest = (pb_int64_t)(value >> 1);
1250 
1251     return true;
1252 }
1253 
pb_decode_fixed32(pb_istream_t * stream,void * dest)1254 bool pb_decode_fixed32(pb_istream_t *stream, void *dest)
1255 {
1256     pb_byte_t bytes[4];
1257 
1258     if (!pb_read(stream, bytes, 4))
1259         return false;
1260 
1261     *(uint32_t*)dest = ((uint32_t)bytes[0] << 0) |
1262                        ((uint32_t)bytes[1] << 8) |
1263                        ((uint32_t)bytes[2] << 16) |
1264                        ((uint32_t)bytes[3] << 24);
1265     return true;
1266 }
1267 
1268 #ifndef PB_WITHOUT_64BIT
pb_decode_fixed64(pb_istream_t * stream,void * dest)1269 bool pb_decode_fixed64(pb_istream_t *stream, void *dest)
1270 {
1271     pb_byte_t bytes[8];
1272 
1273     if (!pb_read(stream, bytes, 8))
1274         return false;
1275 
1276     *(uint64_t*)dest = ((uint64_t)bytes[0] << 0) |
1277                        ((uint64_t)bytes[1] << 8) |
1278                        ((uint64_t)bytes[2] << 16) |
1279                        ((uint64_t)bytes[3] << 24) |
1280                        ((uint64_t)bytes[4] << 32) |
1281                        ((uint64_t)bytes[5] << 40) |
1282                        ((uint64_t)bytes[6] << 48) |
1283                        ((uint64_t)bytes[7] << 56);
1284 
1285     return true;
1286 }
1287 #endif
1288 
pb_dec_varint(pb_istream_t * stream,const pb_field_t * field,void * dest)1289 static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_t *field, void *dest)
1290 {
1291     pb_uint64_t value;
1292     pb_int64_t svalue;
1293     pb_int64_t clamped;
1294     if (!pb_decode_varint(stream, &value))
1295         return false;
1296 
1297     /* See issue 97: Google's C++ protobuf allows negative varint values to
1298      * be cast as int32_t, instead of the int64_t that should be used when
1299      * encoding. Previous nanopb versions had a bug in encoding. In order to
1300      * not break decoding of such messages, we cast <=32 bit fields to
1301      * int32_t first to get the sign correct.
1302      */
1303     if (field->data_size == sizeof(pb_int64_t))
1304         svalue = (pb_int64_t)value;
1305     else
1306         svalue = (int32_t)value;
1307 
1308     /* Cast to the proper field size, while checking for overflows */
1309     if (field->data_size == sizeof(pb_int64_t))
1310         clamped = *(pb_int64_t*)dest = svalue;
1311     else if (field->data_size == sizeof(int32_t))
1312         clamped = *(int32_t*)dest = (int32_t)svalue;
1313     else if (field->data_size == sizeof(int_least16_t))
1314         clamped = *(int_least16_t*)dest = (int_least16_t)svalue;
1315     else if (field->data_size == sizeof(int_least8_t))
1316         clamped = *(int_least8_t*)dest = (int_least8_t)svalue;
1317     else
1318         PB_RETURN_ERROR(stream, "invalid data_size");
1319 
1320     if (clamped != svalue)
1321         PB_RETURN_ERROR(stream, "integer too large");
1322 
1323     return true;
1324 }
1325 
pb_dec_uvarint(pb_istream_t * stream,const pb_field_t * field,void * dest)1326 static bool checkreturn pb_dec_uvarint(pb_istream_t *stream, const pb_field_t *field, void *dest)
1327 {
1328     pb_uint64_t value, clamped;
1329     if (!pb_decode_varint(stream, &value))
1330         return false;
1331 
1332     /* Cast to the proper field size, while checking for overflows */
1333     if (field->data_size == sizeof(pb_uint64_t))
1334         clamped = *(pb_uint64_t*)dest = value;
1335     else if (field->data_size == sizeof(uint32_t))
1336         clamped = *(uint32_t*)dest = (uint32_t)value;
1337     else if (field->data_size == sizeof(uint_least16_t))
1338         clamped = *(uint_least16_t*)dest = (uint_least16_t)value;
1339     else if (field->data_size == sizeof(uint_least8_t))
1340         clamped = *(uint_least8_t*)dest = (uint_least8_t)value;
1341     else
1342         PB_RETURN_ERROR(stream, "invalid data_size");
1343 
1344     if (clamped != value)
1345         PB_RETURN_ERROR(stream, "integer too large");
1346 
1347     return true;
1348 }
1349 
pb_dec_svarint(pb_istream_t * stream,const pb_field_t * field,void * dest)1350 static bool checkreturn pb_dec_svarint(pb_istream_t *stream, const pb_field_t *field, void *dest)
1351 {
1352     pb_int64_t value, clamped;
1353     if (!pb_decode_svarint(stream, &value))
1354         return false;
1355 
1356     /* Cast to the proper field size, while checking for overflows */
1357     if (field->data_size == sizeof(pb_int64_t))
1358         clamped = *(pb_int64_t*)dest = value;
1359     else if (field->data_size == sizeof(int32_t))
1360         clamped = *(int32_t*)dest = (int32_t)value;
1361     else if (field->data_size == sizeof(int_least16_t))
1362         clamped = *(int_least16_t*)dest = (int_least16_t)value;
1363     else if (field->data_size == sizeof(int_least8_t))
1364         clamped = *(int_least8_t*)dest = (int_least8_t)value;
1365     else
1366         PB_RETURN_ERROR(stream, "invalid data_size");
1367 
1368     if (clamped != value)
1369         PB_RETURN_ERROR(stream, "integer too large");
1370 
1371     return true;
1372 }
1373 
pb_dec_fixed32(pb_istream_t * stream,const pb_field_t * field,void * dest)1374 static bool checkreturn pb_dec_fixed32(pb_istream_t *stream, const pb_field_t *field, void *dest)
1375 {
1376     PB_UNUSED(field);
1377     return pb_decode_fixed32(stream, dest);
1378 }
1379 
pb_dec_fixed64(pb_istream_t * stream,const pb_field_t * field,void * dest)1380 static bool checkreturn pb_dec_fixed64(pb_istream_t *stream, const pb_field_t *field, void *dest)
1381 {
1382     PB_UNUSED(field);
1383 #ifndef PB_WITHOUT_64BIT
1384     return pb_decode_fixed64(stream, dest);
1385 #else
1386     PB_UNUSED(dest);
1387     PB_RETURN_ERROR(stream, "no 64bit support");
1388 #endif
1389 }
1390 
pb_dec_bytes(pb_istream_t * stream,const pb_field_t * field,void * dest)1391 static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest)
1392 {
1393     uint32_t size;
1394     size_t alloc_size;
1395     pb_bytes_array_t *bdest;
1396 
1397     if (!pb_decode_varint32(stream, &size))
1398         return false;
1399 
1400     if (size > PB_SIZE_MAX)
1401         PB_RETURN_ERROR(stream, "bytes overflow");
1402 
1403     alloc_size = PB_BYTES_ARRAY_T_ALLOCSIZE(size);
1404     if (size > alloc_size)
1405         PB_RETURN_ERROR(stream, "size too large");
1406 
1407     if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
1408     {
1409 #ifndef PB_ENABLE_MALLOC
1410         PB_RETURN_ERROR(stream, "no malloc support");
1411 #else
1412         if (!allocate_field(stream, dest, alloc_size, 1))
1413             return false;
1414         bdest = *(pb_bytes_array_t**)dest;
1415 #endif
1416     }
1417     else
1418     {
1419         if (alloc_size > field->data_size)
1420             PB_RETURN_ERROR(stream, "bytes overflow");
1421         bdest = (pb_bytes_array_t*)dest;
1422     }
1423 
1424     bdest->size = (pb_size_t)size;
1425     return pb_read(stream, bdest->bytes, size);
1426 }
1427 
pb_dec_string(pb_istream_t * stream,const pb_field_t * field,void * dest)1428 static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_t *field, void *dest)
1429 {
1430     uint32_t size;
1431     size_t alloc_size;
1432     bool status;
1433     if (!pb_decode_varint32(stream, &size))
1434         return false;
1435 
1436     /* Space for null terminator */
1437     alloc_size = size + 1;
1438 
1439     if (alloc_size < size)
1440         PB_RETURN_ERROR(stream, "size too large");
1441 
1442     if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
1443     {
1444 #ifndef PB_ENABLE_MALLOC
1445         PB_RETURN_ERROR(stream, "no malloc support");
1446 #else
1447         if (!allocate_field(stream, dest, alloc_size, 1))
1448             return false;
1449         dest = *(void**)dest;
1450 #endif
1451     }
1452     else
1453     {
1454         if (alloc_size > field->data_size)
1455             PB_RETURN_ERROR(stream, "string overflow");
1456     }
1457 
1458     status = pb_read(stream, (pb_byte_t*)dest, size);
1459     *((pb_byte_t*)dest + size) = 0;
1460     return status;
1461 }
1462 
pb_dec_submessage(pb_istream_t * stream,const pb_field_t * field,void * dest)1463 static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_t *field, void *dest)
1464 {
1465     bool status;
1466     pb_istream_t substream;
1467     const pb_field_t* submsg_fields = (const pb_field_t*)field->ptr;
1468 
1469     if (!pb_make_string_substream(stream, &substream))
1470         return false;
1471 
1472     if (field->ptr == NULL)
1473         PB_RETURN_ERROR(stream, "invalid field descriptor");
1474 
1475     /* New array entries need to be initialized, while required and optional
1476      * submessages have already been initialized in the top-level pb_decode. */
1477     if (PB_HTYPE(field->type) == PB_HTYPE_REPEATED)
1478         status = pb_decode(&substream, submsg_fields, dest);
1479     else
1480         status = pb_decode_noinit(&substream, submsg_fields, dest);
1481 
1482     if (!pb_close_string_substream(stream, &substream))
1483         return false;
1484     return status;
1485 }
1486 
pb_dec_fixed_length_bytes(pb_istream_t * stream,const pb_field_t * field,void * dest)1487 static bool checkreturn pb_dec_fixed_length_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest)
1488 {
1489     uint32_t size;
1490 
1491     if (!pb_decode_varint32(stream, &size))
1492         return false;
1493 
1494     if (size > PB_SIZE_MAX)
1495         PB_RETURN_ERROR(stream, "bytes overflow");
1496 
1497     if (size == 0)
1498     {
1499         /* As a special case, treat empty bytes string as all zeros for fixed_length_bytes. */
1500         memset(dest, 0, field->data_size);
1501         return true;
1502     }
1503 
1504     if (size != field->data_size)
1505         PB_RETURN_ERROR(stream, "incorrect fixed length bytes size");
1506 
1507     return pb_read(stream, (pb_byte_t*)dest, field->data_size);
1508 }
1509