pezkuwichain/serde
1
0
Fork 0
mirror of https://github.com/pezkuwichain/serde.git synced 2026-06-12 20:11:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent panic when deserializing malformed Duration

Browse Source 
std::time::Duration::new can panic. There is no alternative non-panicing constructor.
Check the panic condition beforehand and return an error instead of panicing.

Fixes #1933
This commit is contained in:
Jonas Bushart
2021-01-20 20:41:40 +01:00
parent 398fba9b1e
commit b276849ce1
2 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
serde/src/de/impls.rs
+13
View File
@@ -1849,6 +1849,17 @@ impl<'de> Deserialize<'de> for Duration {
}
}
fn check_overflow<E>(secs: u64, nanos: u32) -> Result<(), E>
where
E: Error,
{
static NANOS_PER_SEC: u32 = 1_000_000_000;
match secs.checked_add((nanos / NANOS_PER_SEC) as u64) {
Some(_) => Ok(()),
None => Err(E::custom("overflow deserializing Duration")),
}
}
struct DurationVisitor;
impl<'de> Visitor<'de> for DurationVisitor {
@@ -1874,6 +1885,7 @@ impl<'de> Deserialize<'de> for Duration {
return Err(Error::invalid_length(1, &self));
}
};
try!(check_overflow(secs, nanos));
Ok(Duration::new(secs, nanos))
}
@@ -1907,6 +1919,7 @@ impl<'de> Deserialize<'de> for Duration {
Some(nanos) => nanos,
None => return Err(<A::Error as Error>::missing_field("nanos")),
};
try!(check_overflow(secs, nanos));
Ok(Duration::new(secs, nanos))
}
}