Potential crash due to signed/unsigned comparison

[jacobkeeler]

Created from smartdevicelink/sdl_core#3887

0x00007f62ab4acf15 in byte_array_to_bson_string (bytes=0x7f62a000348a "", length=length@entry=18446744073709551615) at bson_util.c:121
121     bson_util.c: No such file or directory.
(gdb) bt
#0  0x00007f62ab4acf15 in byte_array_to_bson_string (bytes=0x7f62a000348a "", length=length@entry=18446744073709551615) at bson_util.c:121
#1  0x00007f62ab4ab564 in bson_object_from_bytes_len (output=0x7f62a9097ba0, data=0x7f62a0003480 "", dataSize=16) at bson_object.c:260
#2  0x000055fb2f2e807b in protocol_handler::get_hash_id (packet=...)
    at /home/alex/Downloads/sdl_core/src/components/protocol_handler/src/protocol_handler_impl.cc:1603
#3  0x000055fb2f2e85ba in protocol_handler::ProtocolHandlerImpl::HandleControlMessageEndSession (this=0x55fb303969d0, packet=...)
    at /home/alex/Downloads/sdl_core/src/components/protocol_handler/src/protocol_handler_impl.cc:1628
#4  0x000055fb2f2e6ca0 in protocol_handler::ProtocolHandlerImpl::HandleControlMessage (this=0x55fb303969d0, 
   packet=std::shared_ptr<class protocol_handler::ProtocolPacket> (use count 4, weak count 0) = {...})
    at /home/alex/Downloads/sdl_core/src/components/protocol_handler/src/protocol_handler_impl.cc:1562
#5  0x000055fb2f2e50ce in protocol_handler::ProtocolHandlerImpl::HandleMessage (this=0x55fb303969d0, 
   packet=std::shared_ptr<class protocol_handler::ProtocolPacket> (use count 4, weak count 0) = {...})
    at /home/alex/Downloads/sdl_core/src/components/protocol_handler/src/protocol_handler_impl.cc:1471
#6  0x000055fb2f2f00d8 in protocol_handler::ProtocolHandlerImpl::Handle (this=0x55fb303969d0, message=...)
    at /home/alex/Downloads/sdl_core/src/components/protocol_handler/src/protocol_handler_impl.cc:2269
#7  0x000055fb2f3132b2 in threads::MessageLoopThread<utils::PrioritizedQueue<protocol_handler::impl::RawFordMessageFromMobile> >::LoopThreadDelegate::DrainQue (this=0x55fb303851e0) at /home/alex/Downloads/sdl_core/src/components/include/utils/threads/message_loop_thread.h:201
#8  0x000055fb2f312dd1 in threads::MessageLoopThread<utils::PrioritizedQueue<protocol_handler::impl::RawFordMessageFromMobile> >::LoopThreadDelegate::threadMain (this=0x55fb303851e0) at /home/alex/Downloads/sdl_core/src/components/include/utils/threads/message_loop_thread.h:184
#9  0x000055fb2f675d1f in threads::Thread::<lambda(threads::Thread*)>::operator()(threads::Thread *) const (__closure=0x7f62a9098b61, thread=0x55fb30384250)
    at /home/alex/Downloads/sdl_core/src/components/utils/src/threads/thread_posix.cc:76
#10 0x000055fb2f676478 in threads::Thread::threadFunc (arg=0x55fb30384250)
    at /home/alex/Downloads/sdl_core/src/components/utils/src/threads/thread_posix.cc:106
#11 0x00007f62ab6f4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#12 0x00007f62aaacf293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

//bug2: length<=0
char *byte_array_to_bson_string(uint8_t *bytes, size_t length) {
  char *stringVal = malloc(sizeof(char) * (length + 1));
  
  int i = 0;
  for (i = 0; i < length; i++) {
    stringVal[i] = (char)(bytes[i] & 0xFF);
  }
  stringVal[length] = 0x00;
  return stringVal;
}

      case TYPE_STRING:
        // Buffer length is read first
        if (remainBytes >= SIZE_INT32) {
          int32_t bufferLength = read_int32_le((uint8_t **)¤t);
          remainBytes -= SIZE_INT32;
          // Type coercion int32_t => size_t
          if (bufferLength <= remainBytes) {
            char *stringVal = byte_array_to_bson_string((uint8_t*)current, (size_t)bufferLength - 1);
            bson_object_put_string(&obj, key, stringVal);
            free(stringVal);
            current += bufferLength;
            remainBytes -= (size_t)bufferLength;

If a negative value is somehow provided for a BSON string or BSON object, a potential crash could occur.