Skip to content

fix: validate lower bound for dependency indices in upb file_def#26562

Open
KevinZhao wants to merge 1 commit intoprotocolbuffers:mainfrom
KevinZhao:fix-upb-dep-index-oob
Open

fix: validate lower bound for dependency indices in upb file_def#26562
KevinZhao wants to merge 1 commit intoprotocolbuffers:mainfrom
KevinZhao:fix-upb-dep-index-oob

Conversation

@KevinZhao
Copy link
Copy Markdown

@KevinZhao KevinZhao commented Mar 25, 2026

Summary

  • Add lower-bound (< 0) validation for public_dependency and weak_dependency indices in _upb_FileDef_Create (upb/reflection/file_def.c)
  • The existing checks only validated the upper bound (>= dep_count). Since both the index (int32_t) and dep_count (int) are signed, negative values like -1 pass the comparison (-1 >= 3 is false in signed arithmetic), get stored, and cause an out-of-bounds read when later used to index the deps array via upb_FileDef_PublicDependency() or upb_FileDef_WeakDependency()
  • Add regression tests for negative public_dependency and weak_dependency values
  • Add a fuzz target (file_def_fuzz_test.cc) that exercises the dependency accessor code paths after DefPool.AddFile(), covering index validation gaps that the existing def_to_proto_fuzz_test does not reach

Test plan

  • bazel test //upb/reflection:reflection_test — new tests verify negative indices are rejected with "out of range" error
  • bazel test //upb/reflection:def_builder_test — existing tests still pass
  • Manual verification: before this fix, public_dependency: -1 on a file with dependencies causes SIGSEGV in upb_FileDef_PublicDependency(); after the fix, _upb_FileDef_Create rejects it with an error

@loci-dev loci-dev mentioned this pull request Mar 25, 2026
Open
3 tasks
@esrauchg esrauchg added the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Mar 25, 2026
@github-actions github-actions Bot removed the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Mar 25, 2026
@esrauchg
Copy link
Copy Markdown
Contributor

esrauchg commented Mar 25, 2026

Thanks for the candidate change!

Looks like the unit test fails for a different reason than the expected case, can you fix?

@esrauchg esrauchg added the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Mar 25, 2026
@github-actions github-actions Bot removed the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Mar 25, 2026
@KevinZhao
Copy link
Copy Markdown
Author

KevinZhao commented Mar 25, 2026

Thanks @esrauchg! Fixed in the latest two commits:

Commit 1 — Fixed the test: removed dependency: "dep.proto" from the test protos. The dependency name resolution (line 369-383) runs before the index validation, so the unloaded dep caused a different error than expected.

Commit 2 — While reviewing I also found a pre-existing bug: upb_FileDef_WeakDependency() at line 145 asserts against public_dep_count instead of weak_dep_count. Fixed that too, and added boundary tests for index=0 with dep_count=0 (upper-bound OOB).

The "safe for tests" tag is needed for the fork CI to run the full test suite.

@esrauchg esrauchg added the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Mar 25, 2026
@github-actions github-actions Bot removed the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Mar 25, 2026
@karenwuz karenwuz requested a review from esrauchg April 2, 2026 16:03
esrauchg
esrauchg requested changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@esrauchg esrauchg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution!

Comment thread upb/reflection/file_def_fuzz_test.cc Outdated
#include "upb/reflection/def.h"
#include "upb/reflection/def.hpp"

namespace upb_test {
Copy link
Copy Markdown
Contributor

@esrauchg esrauchg Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mind sending a separate PR with this fuzz test? I'd like another maintainer to review this part, but I'm comfortable approving the other two files of this PR

Thanks!

KevinZhao added a commit to KevinZhao/protobuf that referenced this pull request Apr 4, 2026
@KevinZhao @claude
test: add fuzz test for upb dependency index validation
ab8947d 
Adds a fuzz test that exercises upb DefPool file loading with arbitrary
FileDescriptorSet protos. The test covers dependency index validation
paths in file_def.c, including the public_dependency and weak_dependency
accessors.

Split from protocolbuffers#26562 per reviewer request.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@KevinZhao KevinZhao force-pushed the fix-upb-dep-index-oob branch from 35f4843 to dab13e5 Compare April 4, 2026 05:47
@KevinZhao KevinZhao mentioned this pull request Apr 4, 2026
Open
2 tasks
@KevinZhao
Copy link
Copy Markdown
Author

KevinZhao commented Apr 4, 2026

@esrauchg Done — split the fuzz test into a separate PR: #26720

This PR now contains only the two files you're comfortable approving:

  • upb/reflection/file_def.c — lower-bound validation fix + WeakDependency assert fix
  • upb/reflection/reflection_test.cc — unit tests for negative indices and zero-index boundary cases

Squashed into a single clean commit for easy review.

@KevinZhao KevinZhao force-pushed the fix-upb-dep-index-oob branch from dab13e5 to cfdb250 Compare April 6, 2026 03:06
KevinZhao added a commit to KevinZhao/protobuf that referenced this pull request Apr 6, 2026
@KevinZhao @claude
test: add fuzz test for upb dependency index validation
2fc3d3a 
Adds a fuzz test that exercises upb DefPool file loading with arbitrary
FileDescriptorSet protos. The test covers dependency index validation
paths in file_def.c, including the public_dependency and weak_dependency
accessors.

Split from protocolbuffers#26562 per reviewer request.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@KevinZhao KevinZhao force-pushed the fix-upb-dep-index-oob branch from cfdb250 to 5b66719 Compare April 6, 2026 05:19
KevinZhao added a commit to KevinZhao/protobuf that referenced this pull request Apr 6, 2026
@KevinZhao @claude
test: add fuzz test for upb dependency index validation
f8db0de 
Adds a fuzz test that exercises upb DefPool file loading with arbitrary
FileDescriptorSet protos. The test covers dependency index validation
paths in file_def.c, including the public_dependency and weak_dependency
accessors.

Split from protocolbuffers#26562 per reviewer request.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@KevinZhao
fix: validate lower bound for dependency indices in upb file_def
b66b950 
- Add lower-bound (<0) validation for public_dependency and
  weak_dependency indices in _upb_FileDef_Create(), preventing
  negative indices from passing the bounds check and causing
  out-of-bounds reads on the deps array.

- Fix upb_FileDef_WeakDependency() assert: was checking against
  public_dep_count instead of weak_dep_count.

- Add unit tests for negative indices and zero-index-with-no-deps
  boundary cases.
@KevinZhao KevinZhao force-pushed the fix-upb-dep-index-oob branch from 5b66719 to b66b950 Compare April 6, 2026 05:24
KevinZhao added a commit to KevinZhao/protobuf that referenced this pull request Apr 6, 2026
@KevinZhao
test: add fuzz test for upb dependency index validation
92ae503 
Adds a fuzz test that exercises upb DefPool file loading with arbitrary
FileDescriptorSet protos. The test covers dependency index validation
paths in file_def.c, including the public_dependency and weak_dependency
accessors.

Split from protocolbuffers#26562 per reviewer request.
@KevinZhao
Copy link
Copy Markdown
Author

KevinZhao commented Apr 6, 2026

Hi @esrauchg — the fuzz test has been split into a separate PR (#26720) as requested. This PR now only contains the two files you mentioned being comfortable with:

  • upb/reflection/file_def.c — lower-bound validation fix + WeakDependency assert fix
  • upb/reflection/reflection_test.cc — unit tests for boundary cases

CLA check is also passing now. Could you re-review when you get a chance? Thanks!

@esrauchg esrauchg added the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Apr 6, 2026
@github-actions github-actions Bot removed the 🅰️ safe for tests Mark a commit as safe to run presubmits over label Apr 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esrauchg esrauchg esrauchg approved these changes

Assignees

@haberman haberman

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KevinZhao @esrauchg @haberman