From 057133cf5e067c9810ddfe7046eb17143a202240 Mon Sep 17 00:00:00 2001 From: Eun0us Date: Sun, 22 Feb 2026 18:51:19 +0100 Subject: [PATCH] Return CborErrorIllegalType instead of asserting on invalid type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace cbor_assert(it->type != CborInvalidType) with an explicit error return in cbor_value_advance() and cbor_value_advance_fixed(). When parsing malformed CBOR input, recursive container walking can produce a CborInvalidType state. The assertion causes abort() which is inappropriate for a library that processes untrusted input — callers should receive an error code they can handle gracefully. Found by fuzzing with libFuzzer + AddressSanitizer. --- src/cborparser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/cborparser.c b/src/cborparser.c index 31c8d8bf..c0586637 100644 --- a/src/cborparser.c +++ b/src/cborparser.c @@ -453,7 +453,8 @@ CborError cbor_value_validate_basic(const CborValue *it) */ CborError cbor_value_advance_fixed(CborValue *it) { - cbor_assert(it->type != CborInvalidType); + if (it->type == CborInvalidType) + return CborErrorIllegalType; cbor_assert(is_fixed_type(it->type)); if (!it->remaining) return CborErrorAdvancePastEOF; @@ -505,7 +506,8 @@ static CborError advance_recursive(CborValue *it, int nestingLevel) */ CborError cbor_value_advance(CborValue *it) { - cbor_assert(it->type != CborInvalidType); + if (it->type == CborInvalidType) + return CborErrorIllegalType; if (!it->remaining) return CborErrorAdvancePastEOF; return advance_recursive(it, CBOR_PARSER_MAX_RECURSIONS);