1 /* pb_decode.c -- decode a protobuf using minimal resources
2 *
3 * 2011 Petteri Aimonen <jpa@kapsi.fi>
4 */
5
6 /* Use the GCC warn_unused_result attribute to check that all return values
7 * are propagated correctly. On other compilers and gcc before 3.4.0 just
8 * ignore the annotation.
9 */
10 #if !defined(__GNUC__) || ( __GNUC__ < 3) || (__GNUC__ == 3 && __GNUC_MINOR__ < 4)
11 #define checkreturn
12 #else
13 #define checkreturn __attribute__((warn_unused_result))
14 #endif
15
16 #include "pb.h"
17 #include "pb_decode.h"
18 #include "pb_common.h"
19
20 /**************************************
21 * Declarations internal to this file *
22 **************************************/
23
24 typedef bool (*pb_decoder_t)(pb_istream_t *stream, const pb_field_t *field, void *dest) checkreturn;
25
26 static bool checkreturn buf_read(pb_istream_t *stream, pb_byte_t *buf, size_t count);
27 static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, pb_byte_t *buf, size_t *size);
28 static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter);
29 static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter);
30 static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter);
31 static void iter_from_extension(pb_field_iter_t *iter, pb_extension_t *extension);
32 static bool checkreturn default_extension_decoder(pb_istream_t *stream, pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type);
33 static bool checkreturn decode_extension(pb_istream_t *stream, uint32_t tag, pb_wire_type_t wire_type, pb_field_iter_t *iter);
34 static bool checkreturn find_extension_field(pb_field_iter_t *iter);
35 static void pb_field_set_to_default(pb_field_iter_t *iter);
36 static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_struct);
37 static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_t *field, void *dest);
38 static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof);
39 static bool checkreturn pb_dec_uvarint(pb_istream_t *stream, const pb_field_t *field, void *dest);
40 static bool checkreturn pb_dec_svarint(pb_istream_t *stream, const pb_field_t *field, void *dest);
41 static bool checkreturn pb_dec_fixed32(pb_istream_t *stream, const pb_field_t *field, void *dest);
42 static bool checkreturn pb_dec_fixed64(pb_istream_t *stream, const pb_field_t *field, void *dest);
43 static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest);
44 static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_t *field, void *dest);
45 static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_t *field, void *dest);
46 static bool checkreturn pb_dec_fixed_length_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest);
47 static bool checkreturn pb_skip_varint(pb_istream_t *stream);
48 static bool checkreturn pb_skip_string(pb_istream_t *stream);
49
50 #ifdef PB_ENABLE_MALLOC
51 static bool checkreturn allocate_field(pb_istream_t *stream, void *pData, size_t data_size, size_t array_size);
52 static bool checkreturn pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *iter);
53 static void pb_release_single_field(const pb_field_iter_t *iter);
54 #endif
55
56 #ifdef PB_WITHOUT_64BIT
57 #define pb_int64_t int32_t
58 #define pb_uint64_t uint32_t
59 #else
60 #define pb_int64_t int64_t
61 #define pb_uint64_t uint64_t
62 #endif
63
64 /* --- Function pointers to field decoders ---
65 * Order in the array must match pb_action_t LTYPE numbering.
66 */
67 static const pb_decoder_t PB_DECODERS[PB_LTYPES_COUNT] = {
68 &pb_dec_varint,
69 &pb_dec_uvarint,
70 &pb_dec_svarint,
71 &pb_dec_fixed32,
72 &pb_dec_fixed64,
73
74 &pb_dec_bytes,
75 &pb_dec_string,
76 &pb_dec_submessage,
77 NULL, /* extensions */
78 &pb_dec_fixed_length_bytes
79 };
80
81 /*******************************
82 * pb_istream_t implementation *
83 *******************************/
84
buf_read(pb_istream_t * stream,pb_byte_t * buf,size_t count)85 static bool checkreturn buf_read(pb_istream_t *stream, pb_byte_t *buf, size_t count)
86 {
87 size_t i;
88 const pb_byte_t *source = (const pb_byte_t*)stream->state;
89 stream->state = (pb_byte_t*)stream->state + count;
90
91 if (buf != NULL)
92 {
93 for (i = 0; i < count; i++)
94 buf[i] = source[i];
95 }
96
97 return true;
98 }
99
pb_read(pb_istream_t * stream,pb_byte_t * buf,size_t count)100 bool checkreturn pb_read(pb_istream_t *stream, pb_byte_t *buf, size_t count)
101 {
102 #ifndef PB_BUFFER_ONLY
103 if (buf == NULL && stream->callback != buf_read)
104 {
105 /* Skip input bytes */
106 pb_byte_t tmp[16];
107 while (count > 16)
108 {
109 if (!pb_read(stream, tmp, 16))
110 return false;
111
112 count -= 16;
113 }
114
115 return pb_read(stream, tmp, count);
116 }
117 #endif
118
119 if (stream->bytes_left < count)
120 PB_RETURN_ERROR(stream, "end-of-stream");
121
122 #ifndef PB_BUFFER_ONLY
123 if (!stream->callback(stream, buf, count))
124 PB_RETURN_ERROR(stream, "io error");
125 #else
126 if (!buf_read(stream, buf, count))
127 return false;
128 #endif
129
130 stream->bytes_left -= count;
131 return true;
132 }
133
134 /* Read a single byte from input stream. buf may not be NULL.
135 * This is an optimization for the varint decoding. */
pb_readbyte(pb_istream_t * stream,pb_byte_t * buf)136 static bool checkreturn pb_readbyte(pb_istream_t *stream, pb_byte_t *buf)
137 {
138 if (stream->bytes_left == 0)
139 PB_RETURN_ERROR(stream, "end-of-stream");
140
141 #ifndef PB_BUFFER_ONLY
142 if (!stream->callback(stream, buf, 1))
143 PB_RETURN_ERROR(stream, "io error");
144 #else
145 *buf = *(const pb_byte_t*)stream->state;
146 stream->state = (pb_byte_t*)stream->state + 1;
147 #endif
148
149 stream->bytes_left--;
150
151 return true;
152 }
153
pb_istream_from_buffer(const pb_byte_t * buf,size_t bufsize)154 pb_istream_t pb_istream_from_buffer(const pb_byte_t *buf, size_t bufsize)
155 {
156 pb_istream_t stream;
157 /* Cast away the const from buf without a compiler error. We are
158 * careful to use it only in a const manner in the callbacks.
159 */
160 union {
161 void *state;
162 const void *c_state;
163 } state;
164 #ifdef PB_BUFFER_ONLY
165 stream.callback = NULL;
166 #else
167 stream.callback = &buf_read;
168 #endif
169 state.c_state = buf;
170 stream.state = state.state;
171 stream.bytes_left = bufsize;
172 #ifndef PB_NO_ERRMSG
173 stream.errmsg = NULL;
174 #endif
175 return stream;
176 }
177
178 /********************
179 * Helper functions *
180 ********************/
181
pb_decode_varint32_eof(pb_istream_t * stream,uint32_t * dest,bool * eof)182 static bool checkreturn pb_decode_varint32_eof(pb_istream_t *stream, uint32_t *dest, bool *eof)
183 {
184 pb_byte_t byte;
185 uint32_t result;
186
187 if (!pb_readbyte(stream, &byte))
188 {
189 if (stream->bytes_left == 0)
190 {
191 if (eof)
192 {
193 *eof = true;
194 }
195 }
196
197 return false;
198 }
199
200 if ((byte & 0x80) == 0)
201 {
202 /* Quick case, 1 byte value */
203 result = byte;
204 }
205 else
206 {
207 /* Multibyte case */
208 uint_fast8_t bitpos = 7;
209 result = byte & 0x7F;
210
211 do
212 {
213 if (!pb_readbyte(stream, &byte))
214 return false;
215
216 if (bitpos >= 32)
217 {
218 /* Note: The varint could have trailing 0x80 bytes, or 0xFF for negative. */
219 uint8_t sign_extension = (bitpos < 63) ? 0xFF : 0x01;
220
221 if ((byte & 0x7F) != 0x00 && ((result >> 31) == 0 || byte != sign_extension))
222 {
223 PB_RETURN_ERROR(stream, "varint overflow");
224 }
225 }
226 else
227 {
228 result |= (uint32_t)(byte & 0x7F) << bitpos;
229 }
230 bitpos = (uint_fast8_t)(bitpos + 7);
231 } while (byte & 0x80);
232
233 if (bitpos == 35 && (byte & 0x70) != 0)
234 {
235 /* The last byte was at bitpos=28, so only bottom 4 bits fit. */
236 PB_RETURN_ERROR(stream, "varint overflow");
237 }
238 }
239
240 *dest = result;
241 return true;
242 }
243
pb_decode_varint32(pb_istream_t * stream,uint32_t * dest)244 bool checkreturn pb_decode_varint32(pb_istream_t *stream, uint32_t *dest)
245 {
246 return pb_decode_varint32_eof(stream, dest, NULL);
247 }
248
249 #ifndef PB_WITHOUT_64BIT
pb_decode_varint(pb_istream_t * stream,uint64_t * dest)250 bool checkreturn pb_decode_varint(pb_istream_t *stream, uint64_t *dest)
251 {
252 pb_byte_t byte;
253 uint_fast8_t bitpos = 0;
254 uint64_t result = 0;
255
256 do
257 {
258 if (bitpos >= 64)
259 PB_RETURN_ERROR(stream, "varint overflow");
260
261 if (!pb_readbyte(stream, &byte))
262 return false;
263
264 result |= (uint64_t)(byte & 0x7F) << bitpos;
265 bitpos = (uint_fast8_t)(bitpos + 7);
266 } while (byte & 0x80);
267
268 *dest = result;
269 return true;
270 }
271 #endif
272
pb_skip_varint(pb_istream_t * stream)273 bool checkreturn pb_skip_varint(pb_istream_t *stream)
274 {
275 pb_byte_t byte;
276 do
277 {
278 if (!pb_read(stream, &byte, 1))
279 return false;
280 } while (byte & 0x80);
281 return true;
282 }
283
pb_skip_string(pb_istream_t * stream)284 bool checkreturn pb_skip_string(pb_istream_t *stream)
285 {
286 uint32_t length;
287 if (!pb_decode_varint32(stream, &length))
288 return false;
289
290 return pb_read(stream, NULL, length);
291 }
292
pb_decode_tag(pb_istream_t * stream,pb_wire_type_t * wire_type,uint32_t * tag,bool * eof)293 bool checkreturn pb_decode_tag(pb_istream_t *stream, pb_wire_type_t *wire_type, uint32_t *tag, bool *eof)
294 {
295 uint32_t temp;
296 *eof = false;
297 *wire_type = (pb_wire_type_t) 0;
298 *tag = 0;
299
300 if (!pb_decode_varint32_eof(stream, &temp, eof))
301 {
302 return false;
303 }
304
305 if (temp == 0)
306 {
307 *eof = true; /* Special feature: allow 0-terminated messages. */
308 return false;
309 }
310
311 *tag = temp >> 3;
312 *wire_type = (pb_wire_type_t)(temp & 7);
313 return true;
314 }
315
pb_skip_field(pb_istream_t * stream,pb_wire_type_t wire_type)316 bool checkreturn pb_skip_field(pb_istream_t *stream, pb_wire_type_t wire_type)
317 {
318 switch (wire_type)
319 {
320 case PB_WT_VARINT: return pb_skip_varint(stream);
321 case PB_WT_64BIT: return pb_read(stream, NULL, 8);
322 case PB_WT_STRING: return pb_skip_string(stream);
323 case PB_WT_32BIT: return pb_read(stream, NULL, 4);
324 default: PB_RETURN_ERROR(stream, "invalid wire_type");
325 }
326 }
327
328 /* Read a raw value to buffer, for the purpose of passing it to callback as
329 * a substream. Size is maximum size on call, and actual size on return.
330 */
read_raw_value(pb_istream_t * stream,pb_wire_type_t wire_type,pb_byte_t * buf,size_t * size)331 static bool checkreturn read_raw_value(pb_istream_t *stream, pb_wire_type_t wire_type, pb_byte_t *buf, size_t *size)
332 {
333 size_t max_size = *size;
334 switch (wire_type)
335 {
336 case PB_WT_VARINT:
337 *size = 0;
338 do
339 {
340 (*size)++;
341 if (*size > max_size) return false;
342 if (!pb_read(stream, buf, 1)) return false;
343 } while (*buf++ & 0x80);
344 return true;
345
346 case PB_WT_64BIT:
347 *size = 8;
348 return pb_read(stream, buf, 8);
349
350 case PB_WT_32BIT:
351 *size = 4;
352 return pb_read(stream, buf, 4);
353
354 case PB_WT_STRING:
355 /* Calling read_raw_value with a PB_WT_STRING is an error.
356 * Explicitly handle this case and fallthrough to default to avoid
357 * compiler warnings.
358 */
359
360 default: PB_RETURN_ERROR(stream, "invalid wire_type");
361 }
362 }
363
364 /* Decode string length from stream and return a substream with limited length.
365 * Remember to close the substream using pb_close_string_substream().
366 */
pb_make_string_substream(pb_istream_t * stream,pb_istream_t * substream)367 bool checkreturn pb_make_string_substream(pb_istream_t *stream, pb_istream_t *substream)
368 {
369 uint32_t size;
370 if (!pb_decode_varint32(stream, &size))
371 return false;
372
373 *substream = *stream;
374 if (substream->bytes_left < size)
375 PB_RETURN_ERROR(stream, "parent stream too short");
376
377 substream->bytes_left = size;
378 stream->bytes_left -= size;
379 return true;
380 }
381
pb_close_string_substream(pb_istream_t * stream,pb_istream_t * substream)382 bool checkreturn pb_close_string_substream(pb_istream_t *stream, pb_istream_t *substream)
383 {
384 if (substream->bytes_left) {
385 if (!pb_read(substream, NULL, substream->bytes_left))
386 return false;
387 }
388
389 stream->state = substream->state;
390
391 #ifndef PB_NO_ERRMSG
392 stream->errmsg = substream->errmsg;
393 #endif
394 return true;
395 }
396
397 /*************************
398 * Decode a single field *
399 *************************/
400
decode_static_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)401 static bool checkreturn decode_static_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
402 {
403 pb_type_t type;
404 pb_decoder_t func;
405
406 type = iter->pos->type;
407 func = PB_DECODERS[PB_LTYPE(type)];
408
409 switch (PB_HTYPE(type))
410 {
411 case PB_HTYPE_REQUIRED:
412 return func(stream, iter->pos, iter->pData);
413
414 case PB_HTYPE_OPTIONAL:
415 if (iter->pSize != iter->pData)
416 *(bool*)iter->pSize = true;
417 return func(stream, iter->pos, iter->pData);
418
419 case PB_HTYPE_REPEATED:
420 if (wire_type == PB_WT_STRING
421 && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)
422 {
423 /* Packed array */
424 bool status = true;
425 pb_size_t *size = (pb_size_t*)iter->pSize;
426
427 pb_istream_t substream;
428 if (!pb_make_string_substream(stream, &substream))
429 return false;
430
431 while (substream.bytes_left > 0 && *size < iter->pos->array_size)
432 {
433 void *pItem = (char*)iter->pData + iter->pos->data_size * (*size);
434 if (!func(&substream, iter->pos, pItem))
435 {
436 status = false;
437 break;
438 }
439 (*size)++;
440 }
441
442 if (substream.bytes_left != 0)
443 PB_RETURN_ERROR(stream, "array overflow");
444 if (!pb_close_string_substream(stream, &substream))
445 return false;
446
447 return status;
448 }
449 else
450 {
451 /* Repeated field */
452 pb_size_t *size = (pb_size_t*)iter->pSize;
453 char *pItem = (char*)iter->pData + iter->pos->data_size * (*size);
454
455 if ((*size)++ >= iter->pos->array_size)
456 PB_RETURN_ERROR(stream, "array overflow");
457
458 return func(stream, iter->pos, pItem);
459 }
460
461 case PB_HTYPE_ONEOF:
462 *(pb_size_t*)iter->pSize = iter->pos->tag;
463 if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE)
464 {
465 /* We memset to zero so that any callbacks are set to NULL.
466 * Then set any default values. */
467 memset(iter->pData, 0, iter->pos->data_size);
468 pb_message_set_to_defaults((const pb_field_t*)iter->pos->ptr, iter->pData);
469 }
470 return func(stream, iter->pos, iter->pData);
471
472 default:
473 PB_RETURN_ERROR(stream, "invalid field type");
474 }
475 }
476
477 #ifdef PB_ENABLE_MALLOC
478 /* Allocate storage for the field and store the pointer at iter->pData.
479 * array_size is the number of entries to reserve in an array.
480 * Zero size is not allowed, use pb_free() for releasing.
481 */
allocate_field(pb_istream_t * stream,void * pData,size_t data_size,size_t array_size)482 static bool checkreturn allocate_field(pb_istream_t *stream, void *pData, size_t data_size, size_t array_size)
483 {
484 void *ptr = *(void**)pData;
485
486 if (data_size == 0 || array_size == 0)
487 PB_RETURN_ERROR(stream, "invalid size");
488
489 /* Check for multiplication overflows.
490 * This code avoids the costly division if the sizes are small enough.
491 * Multiplication is safe as long as only half of bits are set
492 * in either multiplicand.
493 */
494 {
495 const size_t check_limit = (size_t)1 << (sizeof(size_t) * 4);
496 if (data_size >= check_limit || array_size >= check_limit)
497 {
498 const size_t size_max = (size_t)-1;
499 if (size_max / array_size < data_size)
500 {
501 PB_RETURN_ERROR(stream, "size too large");
502 }
503 }
504 }
505
506 /* Allocate new or expand previous allocation */
507 /* Note: on failure the old pointer will remain in the structure,
508 * the message must be freed by caller also on error return. */
509 ptr = pb_realloc(ptr, array_size * data_size);
510 if (ptr == NULL)
511 PB_RETURN_ERROR(stream, "realloc failed");
512
513 *(void**)pData = ptr;
514 return true;
515 }
516
517 /* Clear a newly allocated item in case it contains a pointer, or is a submessage. */
initialize_pointer_field(void * pItem,pb_field_iter_t * iter)518 static void initialize_pointer_field(void *pItem, pb_field_iter_t *iter)
519 {
520 if (PB_LTYPE(iter->pos->type) == PB_LTYPE_STRING ||
521 PB_LTYPE(iter->pos->type) == PB_LTYPE_BYTES)
522 {
523 *(void**)pItem = NULL;
524 }
525 else if (PB_LTYPE(iter->pos->type) == PB_LTYPE_SUBMESSAGE)
526 {
527 /* We memset to zero so that any callbacks are set to NULL.
528 * Then set any default values. */
529 memset(pItem, 0, iter->pos->data_size);
530 pb_message_set_to_defaults((const pb_field_t *) iter->pos->ptr, pItem);
531 }
532 }
533 #endif
534
decode_pointer_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)535 static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
536 {
537 #ifndef PB_ENABLE_MALLOC
538 PB_UNUSED(wire_type);
539 PB_UNUSED(iter);
540 PB_RETURN_ERROR(stream, "no malloc support");
541 #else
542 pb_type_t type;
543 pb_decoder_t func;
544
545 type = iter->pos->type;
546 func = PB_DECODERS[PB_LTYPE(type)];
547
548 switch (PB_HTYPE(type))
549 {
550 case PB_HTYPE_REQUIRED:
551 case PB_HTYPE_OPTIONAL:
552 case PB_HTYPE_ONEOF:
553 if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE &&
554 *(void**)iter->pData != NULL)
555 {
556 /* Duplicate field, have to release the old allocation first. */
557 pb_release_single_field(iter);
558 }
559
560 if (PB_HTYPE(type) == PB_HTYPE_ONEOF)
561 {
562 *(pb_size_t*)iter->pSize = iter->pos->tag;
563 }
564
565 if (PB_LTYPE(type) == PB_LTYPE_STRING ||
566 PB_LTYPE(type) == PB_LTYPE_BYTES)
567 {
568 return func(stream, iter->pos, iter->pData);
569 }
570 else
571 {
572 if (!allocate_field(stream, iter->pData, iter->pos->data_size, 1))
573 return false;
574
575 initialize_pointer_field(*(void**)iter->pData, iter);
576 return func(stream, iter->pos, *(void**)iter->pData);
577 }
578
579 case PB_HTYPE_REPEATED:
580 if (wire_type == PB_WT_STRING
581 && PB_LTYPE(type) <= PB_LTYPE_LAST_PACKABLE)
582 {
583 /* Packed array, multiple items come in at once. */
584 bool status = true;
585 pb_size_t *size = (pb_size_t*)iter->pSize;
586 size_t allocated_size = *size;
587 void *pItem;
588 pb_istream_t substream;
589
590 if (!pb_make_string_substream(stream, &substream))
591 return false;
592
593 while (substream.bytes_left)
594 {
595 if ((size_t)*size + 1 > allocated_size)
596 {
597 /* Allocate more storage. This tries to guess the
598 * number of remaining entries. Round the division
599 * upwards. */
600 allocated_size += (substream.bytes_left - 1) / iter->pos->data_size + 1;
601
602 if (!allocate_field(&substream, iter->pData, iter->pos->data_size, allocated_size))
603 {
604 status = false;
605 break;
606 }
607 }
608
609 /* Decode the array entry */
610 pItem = *(char**)iter->pData + iter->pos->data_size * (*size);
611 initialize_pointer_field(pItem, iter);
612 if (!func(&substream, iter->pos, pItem))
613 {
614 status = false;
615 break;
616 }
617
618 if (*size == PB_SIZE_MAX)
619 {
620 #ifndef PB_NO_ERRMSG
621 stream->errmsg = "too many array entries";
622 #endif
623 status = false;
624 break;
625 }
626
627 (*size)++;
628 }
629 if (!pb_close_string_substream(stream, &substream))
630 return false;
631
632 return status;
633 }
634 else
635 {
636 /* Normal repeated field, i.e. only one item at a time. */
637 pb_size_t *size = (pb_size_t*)iter->pSize;
638 void *pItem;
639
640 if (*size == PB_SIZE_MAX)
641 PB_RETURN_ERROR(stream, "too many array entries");
642
643 (*size)++;
644 if (!allocate_field(stream, iter->pData, iter->pos->data_size, *size))
645 return false;
646
647 pItem = *(char**)iter->pData + iter->pos->data_size * (*size - 1);
648 initialize_pointer_field(pItem, iter);
649 return func(stream, iter->pos, pItem);
650 }
651
652 default:
653 PB_RETURN_ERROR(stream, "invalid field type");
654 }
655 #endif
656 }
657
decode_callback_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)658 static bool checkreturn decode_callback_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
659 {
660 pb_callback_t *pCallback = (pb_callback_t*)iter->pData;
661
662 #ifdef PB_OLD_CALLBACK_STYLE
663 void *arg = pCallback->arg;
664 #else
665 void **arg = &(pCallback->arg);
666 #endif
667
668 if (pCallback == NULL || pCallback->funcs.decode == NULL)
669 return pb_skip_field(stream, wire_type);
670
671 if (wire_type == PB_WT_STRING)
672 {
673 pb_istream_t substream;
674
675 if (!pb_make_string_substream(stream, &substream))
676 return false;
677
678 do
679 {
680 if (!pCallback->funcs.decode(&substream, iter->pos, arg))
681 PB_RETURN_ERROR(stream, "callback failed");
682 } while (substream.bytes_left);
683
684 if (!pb_close_string_substream(stream, &substream))
685 return false;
686
687 return true;
688 }
689 else
690 {
691 /* Copy the single scalar value to stack.
692 * This is required so that we can limit the stream length,
693 * which in turn allows to use same callback for packed and
694 * not-packed fields. */
695 pb_istream_t substream;
696 pb_byte_t buffer[10];
697 size_t size = sizeof(buffer);
698
699 if (!read_raw_value(stream, wire_type, buffer, &size))
700 return false;
701 substream = pb_istream_from_buffer(buffer, size);
702
703 return pCallback->funcs.decode(&substream, iter->pos, arg);
704 }
705 }
706
decode_field(pb_istream_t * stream,pb_wire_type_t wire_type,pb_field_iter_t * iter)707 static bool checkreturn decode_field(pb_istream_t *stream, pb_wire_type_t wire_type, pb_field_iter_t *iter)
708 {
709 #ifdef PB_ENABLE_MALLOC
710 /* When decoding an oneof field, check if there is old data that must be
711 * released first. */
712 if (PB_HTYPE(iter->pos->type) == PB_HTYPE_ONEOF)
713 {
714 if (!pb_release_union_field(stream, iter))
715 return false;
716 }
717 #endif
718
719 switch (PB_ATYPE(iter->pos->type))
720 {
721 case PB_ATYPE_STATIC:
722 return decode_static_field(stream, wire_type, iter);
723
724 case PB_ATYPE_POINTER:
725 return decode_pointer_field(stream, wire_type, iter);
726
727 case PB_ATYPE_CALLBACK:
728 return decode_callback_field(stream, wire_type, iter);
729
730 default:
731 PB_RETURN_ERROR(stream, "invalid field type");
732 }
733 }
734
iter_from_extension(pb_field_iter_t * iter,pb_extension_t * extension)735 static void iter_from_extension(pb_field_iter_t *iter, pb_extension_t *extension)
736 {
737 /* Fake a field iterator for the extension field.
738 * It is not actually safe to advance this iterator, but decode_field
739 * will not even try to. */
740 const pb_field_t *field = (const pb_field_t*)extension->type->arg;
741 (void)pb_field_iter_begin(iter, field, extension->dest);
742 iter->pData = extension->dest;
743 iter->pSize = &extension->found;
744
745 if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
746 {
747 /* For pointer extensions, the pointer is stored directly
748 * in the extension structure. This avoids having an extra
749 * indirection. */
750 iter->pData = &extension->dest;
751 }
752 }
753
754 /* Default handler for extension fields. Expects a pb_field_t structure
755 * in extension->type->arg. */
default_extension_decoder(pb_istream_t * stream,pb_extension_t * extension,uint32_t tag,pb_wire_type_t wire_type)756 static bool checkreturn default_extension_decoder(pb_istream_t *stream,
757 pb_extension_t *extension, uint32_t tag, pb_wire_type_t wire_type)
758 {
759 const pb_field_t *field = (const pb_field_t*)extension->type->arg;
760 pb_field_iter_t iter;
761
762 if (field->tag != tag)
763 return true;
764
765 iter_from_extension(&iter, extension);
766 extension->found = true;
767 return decode_field(stream, wire_type, &iter);
768 }
769
770 /* Try to decode an unknown field as an extension field. Tries each extension
771 * decoder in turn, until one of them handles the field or loop ends. */
decode_extension(pb_istream_t * stream,uint32_t tag,pb_wire_type_t wire_type,pb_field_iter_t * iter)772 static bool checkreturn decode_extension(pb_istream_t *stream,
773 uint32_t tag, pb_wire_type_t wire_type, pb_field_iter_t *iter)
774 {
775 pb_extension_t *extension = *(pb_extension_t* const *)iter->pData;
776 size_t pos = stream->bytes_left;
777
778 while (extension != NULL && pos == stream->bytes_left)
779 {
780 bool status;
781 if (extension->type->decode)
782 status = extension->type->decode(stream, extension, tag, wire_type);
783 else
784 status = default_extension_decoder(stream, extension, tag, wire_type);
785
786 if (!status)
787 return false;
788
789 extension = extension->next;
790 }
791
792 return true;
793 }
794
795 /* Step through the iterator until an extension field is found or until all
796 * entries have been checked. There can be only one extension field per
797 * message. Returns false if no extension field is found. */
find_extension_field(pb_field_iter_t * iter)798 static bool checkreturn find_extension_field(pb_field_iter_t *iter)
799 {
800 const pb_field_t *start = iter->pos;
801
802 do {
803 if (PB_LTYPE(iter->pos->type) == PB_LTYPE_EXTENSION)
804 return true;
805 (void)pb_field_iter_next(iter);
806 } while (iter->pos != start);
807
808 return false;
809 }
810
811 /* Initialize message fields to default values, recursively */
pb_field_set_to_default(pb_field_iter_t * iter)812 static void pb_field_set_to_default(pb_field_iter_t *iter)
813 {
814 pb_type_t type;
815 type = iter->pos->type;
816
817 if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)
818 {
819 pb_extension_t *ext = *(pb_extension_t* const *)iter->pData;
820 while (ext != NULL)
821 {
822 pb_field_iter_t ext_iter;
823 ext->found = false;
824 iter_from_extension(&ext_iter, ext);
825 pb_field_set_to_default(&ext_iter);
826 ext = ext->next;
827 }
828 }
829 else if (PB_ATYPE(type) == PB_ATYPE_STATIC)
830 {
831 bool init_data = true;
832 if (PB_HTYPE(type) == PB_HTYPE_OPTIONAL && iter->pSize != iter->pData)
833 {
834 /* Set has_field to false. Still initialize the optional field
835 * itself also. */
836 *(bool*)iter->pSize = false;
837 }
838 else if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||
839 PB_HTYPE(type) == PB_HTYPE_ONEOF)
840 {
841 /* REPEATED: Set array count to 0, no need to initialize contents.
842 ONEOF: Set which_field to 0. */
843 *(pb_size_t*)iter->pSize = 0;
844 init_data = false;
845 }
846
847 if (init_data)
848 {
849 if (PB_LTYPE(iter->pos->type) == PB_LTYPE_SUBMESSAGE)
850 {
851 /* Initialize submessage to defaults */
852 pb_message_set_to_defaults((const pb_field_t *) iter->pos->ptr, iter->pData);
853 }
854 else if (iter->pos->ptr != NULL)
855 {
856 /* Initialize to default value */
857 memcpy(iter->pData, iter->pos->ptr, iter->pos->data_size);
858 }
859 else
860 {
861 /* Initialize to zeros */
862 memset(iter->pData, 0, iter->pos->data_size);
863 }
864 }
865 }
866 else if (PB_ATYPE(type) == PB_ATYPE_POINTER)
867 {
868 /* Initialize the pointer to NULL. */
869 *(void**)iter->pData = NULL;
870
871 /* Initialize array count to 0. */
872 if (PB_HTYPE(type) == PB_HTYPE_REPEATED ||
873 PB_HTYPE(type) == PB_HTYPE_ONEOF)
874 {
875 *(pb_size_t*)iter->pSize = 0;
876 }
877 }
878 else if (PB_ATYPE(type) == PB_ATYPE_CALLBACK)
879 {
880 /* Don't overwrite callback */
881 }
882 }
883
pb_message_set_to_defaults(const pb_field_t fields[],void * dest_struct)884 static void pb_message_set_to_defaults(const pb_field_t fields[], void *dest_struct)
885 {
886 pb_field_iter_t iter;
887
888 if (!pb_field_iter_begin(&iter, fields, dest_struct))
889 return; /* Empty message type */
890
891 do
892 {
893 pb_field_set_to_default(&iter);
894 } while (pb_field_iter_next(&iter));
895 }
896
897 /*********************
898 * Decode all fields *
899 *********************/
900
pb_decode_noinit(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)901 bool checkreturn pb_decode_noinit(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
902 {
903 uint32_t fields_seen[(PB_MAX_REQUIRED_FIELDS + 31) / 32] = {0, 0};
904 const uint32_t allbits = ~(uint32_t)0;
905 uint32_t extension_range_start = 0;
906 pb_field_iter_t iter;
907
908 /* 'fixed_count_field' and 'fixed_count_size' track position of a repeated fixed
909 * count field. This can only handle _one_ repeated fixed count field that
910 * is unpacked and unordered among other (non repeated fixed count) fields.
911 */
912 const pb_field_t *fixed_count_field = NULL;
913 pb_size_t fixed_count_size = 0;
914
915 /* Return value ignored, as empty message types will be correctly handled by
916 * pb_field_iter_find() anyway. */
917 (void)pb_field_iter_begin(&iter, fields, dest_struct);
918
919 while (stream->bytes_left)
920 {
921 uint32_t tag;
922 pb_wire_type_t wire_type;
923 bool eof;
924
925 if (!pb_decode_tag(stream, &wire_type, &tag, &eof))
926 {
927 if (eof)
928 break;
929 else
930 return false;
931 }
932
933 if (!pb_field_iter_find(&iter, tag))
934 {
935 /* No match found, check if it matches an extension. */
936 if (tag >= extension_range_start)
937 {
938 if (!find_extension_field(&iter))
939 extension_range_start = (uint32_t)-1;
940 else
941 extension_range_start = iter.pos->tag;
942
943 if (tag >= extension_range_start)
944 {
945 size_t pos = stream->bytes_left;
946
947 if (!decode_extension(stream, tag, wire_type, &iter))
948 return false;
949
950 if (pos != stream->bytes_left)
951 {
952 /* The field was handled */
953 continue;
954 }
955 }
956 }
957
958 /* No match found, skip data */
959 if (!pb_skip_field(stream, wire_type))
960 return false;
961 continue;
962 }
963
964 /* If a repeated fixed count field was found, get size from
965 * 'fixed_count_field' as there is no counter contained in the struct.
966 */
967 if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REPEATED
968 && iter.pSize == iter.pData)
969 {
970 if (fixed_count_field != iter.pos) {
971 /* If the new fixed count field does not match the previous one,
972 * check that the previous one is NULL or that it finished
973 * receiving all the expected data.
974 */
975 if (fixed_count_field != NULL &&
976 fixed_count_size != fixed_count_field->array_size)
977 {
978 PB_RETURN_ERROR(stream, "wrong size for fixed count field");
979 }
980
981 fixed_count_field = iter.pos;
982 fixed_count_size = 0;
983 }
984
985 iter.pSize = &fixed_count_size;
986 }
987
988 if (PB_HTYPE(iter.pos->type) == PB_HTYPE_REQUIRED
989 && iter.required_field_index < PB_MAX_REQUIRED_FIELDS)
990 {
991 uint32_t tmp = ((uint32_t)1 << (iter.required_field_index & 31));
992 fields_seen[iter.required_field_index >> 5] |= tmp;
993 }
994
995 if (!decode_field(stream, wire_type, &iter))
996 return false;
997 }
998
999 /* Check that all elements of the last decoded fixed count field were present. */
1000 if (fixed_count_field != NULL &&
1001 fixed_count_size != fixed_count_field->array_size)
1002 {
1003 PB_RETURN_ERROR(stream, "wrong size for fixed count field");
1004 }
1005
1006 /* Check that all required fields were present. */
1007 {
1008 /* First figure out the number of required fields by
1009 * seeking to the end of the field array. Usually we
1010 * are already close to end after decoding.
1011 */
1012 unsigned req_field_count;
1013 pb_type_t last_type;
1014 unsigned i;
1015 do {
1016 req_field_count = iter.required_field_index;
1017 last_type = iter.pos->type;
1018 } while (pb_field_iter_next(&iter));
1019
1020 /* Fixup if last field was also required. */
1021 if (PB_HTYPE(last_type) == PB_HTYPE_REQUIRED && iter.pos->tag != 0)
1022 req_field_count++;
1023
1024 if (req_field_count > PB_MAX_REQUIRED_FIELDS)
1025 req_field_count = PB_MAX_REQUIRED_FIELDS;
1026
1027 if (req_field_count > 0)
1028 {
1029 /* Check the whole words */
1030 for (i = 0; i < (req_field_count >> 5); i++)
1031 {
1032 if (fields_seen[i] != allbits)
1033 PB_RETURN_ERROR(stream, "missing required field");
1034 }
1035
1036 /* Check the remaining bits (if any) */
1037 if ((req_field_count & 31) != 0)
1038 {
1039 if (fields_seen[req_field_count >> 5] !=
1040 (allbits >> (32 - (req_field_count & 31))))
1041 {
1042 PB_RETURN_ERROR(stream, "missing required field");
1043 }
1044 }
1045 }
1046 }
1047
1048 return true;
1049 }
1050
pb_decode(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1051 bool checkreturn pb_decode(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1052 {
1053 bool status;
1054 pb_message_set_to_defaults(fields, dest_struct);
1055 status = pb_decode_noinit(stream, fields, dest_struct);
1056
1057 #ifdef PB_ENABLE_MALLOC
1058 if (!status)
1059 pb_release(fields, dest_struct);
1060 #endif
1061
1062 return status;
1063 }
1064
pb_decode_delimited_noinit(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1065 bool pb_decode_delimited_noinit(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1066 {
1067 pb_istream_t substream;
1068 bool status;
1069
1070 if (!pb_make_string_substream(stream, &substream))
1071 return false;
1072
1073 status = pb_decode_noinit(&substream, fields, dest_struct);
1074
1075 if (!pb_close_string_substream(stream, &substream))
1076 return false;
1077 return status;
1078 }
1079
pb_decode_delimited(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1080 bool pb_decode_delimited(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1081 {
1082 pb_istream_t substream;
1083 bool status;
1084
1085 if (!pb_make_string_substream(stream, &substream))
1086 return false;
1087
1088 status = pb_decode(&substream, fields, dest_struct);
1089
1090 if (!pb_close_string_substream(stream, &substream))
1091 return false;
1092 return status;
1093 }
1094
pb_decode_nullterminated(pb_istream_t * stream,const pb_field_t fields[],void * dest_struct)1095 bool pb_decode_nullterminated(pb_istream_t *stream, const pb_field_t fields[], void *dest_struct)
1096 {
1097 /* This behaviour will be separated in nanopb-0.4.0, see issue #278. */
1098 return pb_decode(stream, fields, dest_struct);
1099 }
1100
1101 #ifdef PB_ENABLE_MALLOC
1102 /* Given an oneof field, if there has already been a field inside this oneof,
1103 * release it before overwriting with a different one. */
pb_release_union_field(pb_istream_t * stream,pb_field_iter_t * iter)1104 static bool pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *iter)
1105 {
1106 pb_size_t old_tag = *(pb_size_t*)iter->pSize; /* Previous which_ value */
1107 pb_size_t new_tag = iter->pos->tag; /* New which_ value */
1108
1109 if (old_tag == 0)
1110 return true; /* Ok, no old data in union */
1111
1112 if (old_tag == new_tag)
1113 return true; /* Ok, old data is of same type => merge */
1114
1115 /* Release old data. The find can fail if the message struct contains
1116 * invalid data. */
1117 if (!pb_field_iter_find(iter, old_tag))
1118 PB_RETURN_ERROR(stream, "invalid union tag");
1119
1120 pb_release_single_field(iter);
1121
1122 /* Restore iterator to where it should be.
1123 * This shouldn't fail unless the pb_field_t structure is corrupted. */
1124 if (!pb_field_iter_find(iter, new_tag))
1125 PB_RETURN_ERROR(stream, "iterator error");
1126
1127 return true;
1128 }
1129
pb_release_single_field(const pb_field_iter_t * iter)1130 static void pb_release_single_field(const pb_field_iter_t *iter)
1131 {
1132 pb_type_t type;
1133 type = iter->pos->type;
1134
1135 if (PB_HTYPE(type) == PB_HTYPE_ONEOF)
1136 {
1137 if (*(pb_size_t*)iter->pSize != iter->pos->tag)
1138 return; /* This is not the current field in the union */
1139 }
1140
1141 /* Release anything contained inside an extension or submsg.
1142 * This has to be done even if the submsg itself is statically
1143 * allocated. */
1144 if (PB_LTYPE(type) == PB_LTYPE_EXTENSION)
1145 {
1146 /* Release fields from all extensions in the linked list */
1147 pb_extension_t *ext = *(pb_extension_t**)iter->pData;
1148 while (ext != NULL)
1149 {
1150 pb_field_iter_t ext_iter;
1151 iter_from_extension(&ext_iter, ext);
1152 pb_release_single_field(&ext_iter);
1153 ext = ext->next;
1154 }
1155 }
1156 else if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE)
1157 {
1158 /* Release fields in submessage or submsg array */
1159 void *pItem = iter->pData;
1160 pb_size_t count = 1;
1161
1162 if (PB_ATYPE(type) == PB_ATYPE_POINTER)
1163 {
1164 pItem = *(void**)iter->pData;
1165 }
1166
1167 if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
1168 {
1169 if (PB_ATYPE(type) == PB_ATYPE_STATIC && iter->pSize == iter->pData) {
1170 /* No _count field so use size of the array */
1171 count = iter->pos->array_size;
1172 } else {
1173 count = *(pb_size_t*)iter->pSize;
1174 }
1175
1176 if (PB_ATYPE(type) == PB_ATYPE_STATIC && count > iter->pos->array_size)
1177 {
1178 /* Protect against corrupted _count fields */
1179 count = iter->pos->array_size;
1180 }
1181 }
1182
1183 if (pItem)
1184 {
1185 while (count--)
1186 {
1187 pb_release((const pb_field_t*)iter->pos->ptr, pItem);
1188 pItem = (char*)pItem + iter->pos->data_size;
1189 }
1190 }
1191 }
1192
1193 if (PB_ATYPE(type) == PB_ATYPE_POINTER)
1194 {
1195 if (PB_HTYPE(type) == PB_HTYPE_REPEATED &&
1196 (PB_LTYPE(type) == PB_LTYPE_STRING ||
1197 PB_LTYPE(type) == PB_LTYPE_BYTES))
1198 {
1199 /* Release entries in repeated string or bytes array */
1200 void **pItem = *(void***)iter->pData;
1201 pb_size_t count = *(pb_size_t*)iter->pSize;
1202 while (count--)
1203 {
1204 pb_free(*pItem);
1205 *pItem++ = NULL;
1206 }
1207 }
1208
1209 if (PB_HTYPE(type) == PB_HTYPE_REPEATED)
1210 {
1211 /* We are going to release the array, so set the size to 0 */
1212 *(pb_size_t*)iter->pSize = 0;
1213 }
1214
1215 /* Release main item */
1216 pb_free(*(void**)iter->pData);
1217 *(void**)iter->pData = NULL;
1218 }
1219 }
1220
pb_release(const pb_field_t fields[],void * dest_struct)1221 void pb_release(const pb_field_t fields[], void *dest_struct)
1222 {
1223 pb_field_iter_t iter;
1224
1225 if (!dest_struct)
1226 return; /* Ignore NULL pointers, similar to free() */
1227
1228 if (!pb_field_iter_begin(&iter, fields, dest_struct))
1229 return; /* Empty message type */
1230
1231 do
1232 {
1233 pb_release_single_field(&iter);
1234 } while (pb_field_iter_next(&iter));
1235 }
1236 #endif
1237
1238 /* Field decoders */
1239
pb_decode_svarint(pb_istream_t * stream,pb_int64_t * dest)1240 bool pb_decode_svarint(pb_istream_t *stream, pb_int64_t *dest)
1241 {
1242 pb_uint64_t value;
1243 if (!pb_decode_varint(stream, &value))
1244 return false;
1245
1246 if (value & 1)
1247 *dest = (pb_int64_t)(~(value >> 1));
1248 else
1249 *dest = (pb_int64_t)(value >> 1);
1250
1251 return true;
1252 }
1253
pb_decode_fixed32(pb_istream_t * stream,void * dest)1254 bool pb_decode_fixed32(pb_istream_t *stream, void *dest)
1255 {
1256 pb_byte_t bytes[4];
1257
1258 if (!pb_read(stream, bytes, 4))
1259 return false;
1260
1261 *(uint32_t*)dest = ((uint32_t)bytes[0] << 0) |
1262 ((uint32_t)bytes[1] << 8) |
1263 ((uint32_t)bytes[2] << 16) |
1264 ((uint32_t)bytes[3] << 24);
1265 return true;
1266 }
1267
1268 #ifndef PB_WITHOUT_64BIT
pb_decode_fixed64(pb_istream_t * stream,void * dest)1269 bool pb_decode_fixed64(pb_istream_t *stream, void *dest)
1270 {
1271 pb_byte_t bytes[8];
1272
1273 if (!pb_read(stream, bytes, 8))
1274 return false;
1275
1276 *(uint64_t*)dest = ((uint64_t)bytes[0] << 0) |
1277 ((uint64_t)bytes[1] << 8) |
1278 ((uint64_t)bytes[2] << 16) |
1279 ((uint64_t)bytes[3] << 24) |
1280 ((uint64_t)bytes[4] << 32) |
1281 ((uint64_t)bytes[5] << 40) |
1282 ((uint64_t)bytes[6] << 48) |
1283 ((uint64_t)bytes[7] << 56);
1284
1285 return true;
1286 }
1287 #endif
1288
pb_dec_varint(pb_istream_t * stream,const pb_field_t * field,void * dest)1289 static bool checkreturn pb_dec_varint(pb_istream_t *stream, const pb_field_t *field, void *dest)
1290 {
1291 pb_uint64_t value;
1292 pb_int64_t svalue;
1293 pb_int64_t clamped;
1294 if (!pb_decode_varint(stream, &value))
1295 return false;
1296
1297 /* See issue 97: Google's C++ protobuf allows negative varint values to
1298 * be cast as int32_t, instead of the int64_t that should be used when
1299 * encoding. Previous nanopb versions had a bug in encoding. In order to
1300 * not break decoding of such messages, we cast <=32 bit fields to
1301 * int32_t first to get the sign correct.
1302 */
1303 if (field->data_size == sizeof(pb_int64_t))
1304 svalue = (pb_int64_t)value;
1305 else
1306 svalue = (int32_t)value;
1307
1308 /* Cast to the proper field size, while checking for overflows */
1309 if (field->data_size == sizeof(pb_int64_t))
1310 clamped = *(pb_int64_t*)dest = svalue;
1311 else if (field->data_size == sizeof(int32_t))
1312 clamped = *(int32_t*)dest = (int32_t)svalue;
1313 else if (field->data_size == sizeof(int_least16_t))
1314 clamped = *(int_least16_t*)dest = (int_least16_t)svalue;
1315 else if (field->data_size == sizeof(int_least8_t))
1316 clamped = *(int_least8_t*)dest = (int_least8_t)svalue;
1317 else
1318 PB_RETURN_ERROR(stream, "invalid data_size");
1319
1320 if (clamped != svalue)
1321 PB_RETURN_ERROR(stream, "integer too large");
1322
1323 return true;
1324 }
1325
pb_dec_uvarint(pb_istream_t * stream,const pb_field_t * field,void * dest)1326 static bool checkreturn pb_dec_uvarint(pb_istream_t *stream, const pb_field_t *field, void *dest)
1327 {
1328 pb_uint64_t value, clamped;
1329 if (!pb_decode_varint(stream, &value))
1330 return false;
1331
1332 /* Cast to the proper field size, while checking for overflows */
1333 if (field->data_size == sizeof(pb_uint64_t))
1334 clamped = *(pb_uint64_t*)dest = value;
1335 else if (field->data_size == sizeof(uint32_t))
1336 clamped = *(uint32_t*)dest = (uint32_t)value;
1337 else if (field->data_size == sizeof(uint_least16_t))
1338 clamped = *(uint_least16_t*)dest = (uint_least16_t)value;
1339 else if (field->data_size == sizeof(uint_least8_t))
1340 clamped = *(uint_least8_t*)dest = (uint_least8_t)value;
1341 else
1342 PB_RETURN_ERROR(stream, "invalid data_size");
1343
1344 if (clamped != value)
1345 PB_RETURN_ERROR(stream, "integer too large");
1346
1347 return true;
1348 }
1349
pb_dec_svarint(pb_istream_t * stream,const pb_field_t * field,void * dest)1350 static bool checkreturn pb_dec_svarint(pb_istream_t *stream, const pb_field_t *field, void *dest)
1351 {
1352 pb_int64_t value, clamped;
1353 if (!pb_decode_svarint(stream, &value))
1354 return false;
1355
1356 /* Cast to the proper field size, while checking for overflows */
1357 if (field->data_size == sizeof(pb_int64_t))
1358 clamped = *(pb_int64_t*)dest = value;
1359 else if (field->data_size == sizeof(int32_t))
1360 clamped = *(int32_t*)dest = (int32_t)value;
1361 else if (field->data_size == sizeof(int_least16_t))
1362 clamped = *(int_least16_t*)dest = (int_least16_t)value;
1363 else if (field->data_size == sizeof(int_least8_t))
1364 clamped = *(int_least8_t*)dest = (int_least8_t)value;
1365 else
1366 PB_RETURN_ERROR(stream, "invalid data_size");
1367
1368 if (clamped != value)
1369 PB_RETURN_ERROR(stream, "integer too large");
1370
1371 return true;
1372 }
1373
pb_dec_fixed32(pb_istream_t * stream,const pb_field_t * field,void * dest)1374 static bool checkreturn pb_dec_fixed32(pb_istream_t *stream, const pb_field_t *field, void *dest)
1375 {
1376 PB_UNUSED(field);
1377 return pb_decode_fixed32(stream, dest);
1378 }
1379
pb_dec_fixed64(pb_istream_t * stream,const pb_field_t * field,void * dest)1380 static bool checkreturn pb_dec_fixed64(pb_istream_t *stream, const pb_field_t *field, void *dest)
1381 {
1382 PB_UNUSED(field);
1383 #ifndef PB_WITHOUT_64BIT
1384 return pb_decode_fixed64(stream, dest);
1385 #else
1386 PB_UNUSED(dest);
1387 PB_RETURN_ERROR(stream, "no 64bit support");
1388 #endif
1389 }
1390
pb_dec_bytes(pb_istream_t * stream,const pb_field_t * field,void * dest)1391 static bool checkreturn pb_dec_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest)
1392 {
1393 uint32_t size;
1394 size_t alloc_size;
1395 pb_bytes_array_t *bdest;
1396
1397 if (!pb_decode_varint32(stream, &size))
1398 return false;
1399
1400 if (size > PB_SIZE_MAX)
1401 PB_RETURN_ERROR(stream, "bytes overflow");
1402
1403 alloc_size = PB_BYTES_ARRAY_T_ALLOCSIZE(size);
1404 if (size > alloc_size)
1405 PB_RETURN_ERROR(stream, "size too large");
1406
1407 if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
1408 {
1409 #ifndef PB_ENABLE_MALLOC
1410 PB_RETURN_ERROR(stream, "no malloc support");
1411 #else
1412 if (!allocate_field(stream, dest, alloc_size, 1))
1413 return false;
1414 bdest = *(pb_bytes_array_t**)dest;
1415 #endif
1416 }
1417 else
1418 {
1419 if (alloc_size > field->data_size)
1420 PB_RETURN_ERROR(stream, "bytes overflow");
1421 bdest = (pb_bytes_array_t*)dest;
1422 }
1423
1424 bdest->size = (pb_size_t)size;
1425 return pb_read(stream, bdest->bytes, size);
1426 }
1427
pb_dec_string(pb_istream_t * stream,const pb_field_t * field,void * dest)1428 static bool checkreturn pb_dec_string(pb_istream_t *stream, const pb_field_t *field, void *dest)
1429 {
1430 uint32_t size;
1431 size_t alloc_size;
1432 bool status;
1433 if (!pb_decode_varint32(stream, &size))
1434 return false;
1435
1436 /* Space for null terminator */
1437 alloc_size = size + 1;
1438
1439 if (alloc_size < size)
1440 PB_RETURN_ERROR(stream, "size too large");
1441
1442 if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
1443 {
1444 #ifndef PB_ENABLE_MALLOC
1445 PB_RETURN_ERROR(stream, "no malloc support");
1446 #else
1447 if (!allocate_field(stream, dest, alloc_size, 1))
1448 return false;
1449 dest = *(void**)dest;
1450 #endif
1451 }
1452 else
1453 {
1454 if (alloc_size > field->data_size)
1455 PB_RETURN_ERROR(stream, "string overflow");
1456 }
1457
1458 status = pb_read(stream, (pb_byte_t*)dest, size);
1459 *((pb_byte_t*)dest + size) = 0;
1460 return status;
1461 }
1462
pb_dec_submessage(pb_istream_t * stream,const pb_field_t * field,void * dest)1463 static bool checkreturn pb_dec_submessage(pb_istream_t *stream, const pb_field_t *field, void *dest)
1464 {
1465 bool status;
1466 pb_istream_t substream;
1467 const pb_field_t* submsg_fields = (const pb_field_t*)field->ptr;
1468
1469 if (!pb_make_string_substream(stream, &substream))
1470 return false;
1471
1472 if (field->ptr == NULL)
1473 PB_RETURN_ERROR(stream, "invalid field descriptor");
1474
1475 /* New array entries need to be initialized, while required and optional
1476 * submessages have already been initialized in the top-level pb_decode. */
1477 if (PB_HTYPE(field->type) == PB_HTYPE_REPEATED)
1478 status = pb_decode(&substream, submsg_fields, dest);
1479 else
1480 status = pb_decode_noinit(&substream, submsg_fields, dest);
1481
1482 if (!pb_close_string_substream(stream, &substream))
1483 return false;
1484 return status;
1485 }
1486
pb_dec_fixed_length_bytes(pb_istream_t * stream,const pb_field_t * field,void * dest)1487 static bool checkreturn pb_dec_fixed_length_bytes(pb_istream_t *stream, const pb_field_t *field, void *dest)
1488 {
1489 uint32_t size;
1490
1491 if (!pb_decode_varint32(stream, &size))
1492 return false;
1493
1494 if (size > PB_SIZE_MAX)
1495 PB_RETURN_ERROR(stream, "bytes overflow");
1496
1497 if (size == 0)
1498 {
1499 /* As a special case, treat empty bytes string as all zeros for fixed_length_bytes. */
1500 memset(dest, 0, field->data_size);
1501 return true;
1502 }
1503
1504 if (size != field->data_size)
1505 PB_RETURN_ERROR(stream, "incorrect fixed length bytes size");
1506
1507 return pb_read(stream, (pb_byte_t*)dest, field->data_size);
1508 }
1509