Merge branch 'fix/remaining-length-overflow' into 'master'

fix(mqtt_msg): fix signed integer overflow in remaining length decoding See merge request espressif/esp-mqtt!276
2026-06-05 21:04:46 +00:00 · 2026-04-07 12:18:09 +02:00
parent a607c9babc ffd44fb424
commit 689a2656a7
1 changed files with 3 additions and 3 deletions
@@ -121,8 +121,8 @@ size_t mqtt_get_total_length(const uint8_t *buffer, size_t length, int *fixed_si
    int i;
    size_t totlen = 0;

-    for (i = 1; i < length; ++i) {
-        totlen += (buffer[i] & 0x7f) << (7 * (i - 1));
+    for (i = 1; i < length && i <= 4; ++i) {
+        totlen += (size_t)(buffer[i] & 0x7f) << (7 * (i - 1));

        if ((buffer[i] & 0x80) == 0) {
            ++i;
@@ -208,7 +208,7 @@ char *mqtt_get_publish_data(uint8_t *buffer, size_t *length)
    int blength = *length;
    *length = 0;

-    for (i = 1; i < blength; ++i) {
+    for (i = 1; i < blength && i <= 4; ++i) {
        totlen += (buffer[i] & 0x7f) << (7 * (i - 1));

        if ((buffer[i] & 0x80) == 0) {