From 9656fdab0f702ccd784a2e50eabcf94809bc31b5 Mon Sep 17 00:00:00 2001
From: Stuart Stock <stuart@int08h.com>
Date: Sat, 24 Mar 2018 10:50:42 -0500
Subject: [PATCH] Check that value offset does not extend pass end of message

---
 src/error.rs   |  9 ++++++---
 src/message.rs | 13 +++++++++----
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/error.rs b/src/error.rs
index 982d15d..4e6ac5b 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -25,6 +25,12 @@ pub enum Error {
     /// The associated byte sequence does not correspond to a valid Roughtime tag.
     InvalidTag(Box<[u8]>),
 
+    /// Invalid number of tags specified
+    InvalidNumTags(u32),
+
+    /// Tag value length exceeds length of source bytes
+    InvalidValueLength(Tag, u32),
+
     /// Encoding failed. The associated `std::io::Error` should provide more information.
     EncodingFailure(std::io::Error),
 
@@ -37,9 +43,6 @@ pub enum Error {
     /// Offset is outside of valid message range
     InvalidOffsetValue(u32),
 
-    /// Invalid number of tags specified 
-    InvalidNumTags(u32),
-
     /// Could not convert bytes to message because bytes were too short
     MessageTooShort,
 
diff --git a/src/message.rs b/src/message.rs
index f9aad46..c8fb404 100644
--- a/src/message.rs
+++ b/src/message.rs
@@ -112,14 +112,19 @@ impl RtMessage {
         // as an offset from the end of the header
         let msg_end = bytes.len() - header_end;
 
-        assert_eq!(offsets.len(), tags.len() - 1);
-
         for (tag, (value_start, value_end)) in tags.into_iter().zip(
             once(&0)
                 .chain(offsets.iter())
-                .zip(offsets.iter().chain(once(&msg_end))),
+                .zip(offsets.iter().chain(once(&msg_end)))
         ) {
-            let value = bytes[(header_end + value_start)..(header_end + value_end)].to_vec();
+            let start_idx = header_end + value_start;
+            let end_idx = header_end + value_end;
+
+            if end_idx > msg_end || start_idx > end_idx {
+                return Err(Error::InvalidValueLength(tag, end_idx as u32));
+            }
+
+            let value = bytes[start_idx..end_idx].to_vec();
             rt_msg.add_field(tag, &value)?;
         }