mirror of
https://github.com/espressif/esp-mqtt.git
synced 2026-06-05 21:04:46 +00:00
Eun0us
ffd44fb424
The expression (buffer[i] & 0x7f) << (7 * (i - 1)) performs a left shift on a signed int. When i >= 5, the shift amount reaches 28+ and 0x7f << 28 overflows INT_MAX, which is undefined behavior. Per MQTT 3.1.1 section 2.2.3, the Remaining Length field uses at most 4 continuation bytes, so limit the decoding loop accordingly. Also cast to size_t in mqtt_get_total_length() where totlen is already size_t. Affects mqtt_get_total_length() and mqtt_get_publish_data(). Found via coverage-guided fuzzing (libFuzzer + UBSan).