From 27291f2774e078cc256ec223b6d643530625eb29 Mon Sep 17 00:00:00 2001
From: "Christian Holler (:decoder)" <choller@mozilla.com>
Date: Tue, 28 Nov 2023 11:16:07 +0000
Subject: [PATCH] Bug 1865046 - Check ProtocolId cast in IPC fuzzer. r=truber

Differential Revision: https://phabricator.services.mozilla.com/D193772
---
 tools/fuzzing/ipc/IPCFuzzController.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tools/fuzzing/ipc/IPCFuzzController.cpp b/tools/fuzzing/ipc/IPCFuzzController.cpp
index 3ec51280500e..e3e7c30654da 100644
--- a/tools/fuzzing/ipc/IPCFuzzController.cpp
+++ b/tools/fuzzing/ipc/IPCFuzzController.cpp
@@ -587,7 +587,12 @@ bool IPCFuzzController::MakeTargetDecision(
   } else if (isPreserveHeader) {
     // In preserveHeaderMode, we need to find an actor that matches the
     // requested message type instead of any random actor.
-    ProtocolId wantedProtocolId = static_cast<ProtocolId>(*type >> 16);
+    uint16_t maybeProtocolId = *type >> 16;
+    if (maybeProtocolId >= IPCMessageStart::LastMsgIndex) {
+      // Not a valid protocol.
+      return false;
+    }
+    ProtocolId wantedProtocolId = static_cast<ProtocolId>(maybeProtocolId);
     std::vector<uint32_t> allowedIndices;
     for (uint32_t i = 0; i < actors.size(); ++i) {
       if (actors[i].second == wantedProtocolId) {