csn1: fix M_CHOICE: restirct maximum length of the choice list
The current implementation is not capable of handling more than
256 (UCHAR_MAX) selectors in the choice list. Let's document
this and add a guard check to the M_CHOICE handler.
Change-Id: I40c3c5b9be892804c6cd71cbb907af469ce5d769
diff --git a/src/csn1.c b/src/csn1.c
index 3db1e13..3347a64 100644
--- a/src/csn1.c
+++ b/src/csn1.c
@@ -495,6 +495,8 @@
/* Make sure that the list of choice items is not empty */
if (!count)
return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_IN_SCRIPT, pDescr);
+ else if (count > 255) /* We can handle up to 256 (UCHAR_MAX) selectors */
+ return ProcessError(readIndex, "csnStreamDecoder", CSN_ERROR_IN_SCRIPT, pDescr);
while (count > 0)
{
diff --git a/src/csn1.h b/src/csn1.h
index d178ada..7eef5c8 100644
--- a/src/csn1.h
+++ b/src/csn1.h
@@ -490,7 +490,8 @@
* is the part of the message. In the CSN_CHOICE case, this rule does not
* apply. There is free but predefined mapping of the element of the union and
* the value which addresses this element.
- * The value of the address is called a selector.
+ * The value of the address is called a selector. Up to 256 (UCHAR_MAX) unique
+ * selectors can be handled, longer choice list would cause CSN_ERROR_IN_SCRIPT.
* After unpacking, this value is then converted to the sequential number of the
* element in the union and stored in the UnionType variable.
* Par1: C structure name