Merge pull request #22 from jattento/feature/add-security-check-unmarshal-bitmap

add remaining bytes check of bitmap unmarshal method

Author: jattento

pkg/iso8583/bitmap.go

@@ -2,6 +2,7 @@ package iso8583
 
 import (
 	"errors"
+	"fmt"
 	"math"
 
 	"github.com/jattento/go-iso8583/pkg/bitmap"
@@ -22,6 +23,11 @@ func (b *BITMAP) UnmarshalISO8583(byt []byte, length int, encoding string) (int,
 	}
 
 	bcap := int(math.Ceil(float64(length) / float64(bitsInByte)))
+
+	if len(byt) < bcap {
+		return 0, fmt.Errorf("bitmap should be %v bytes long but only %v bytes are avaiable", bcap, len(byt))
+	}
+
 	b.Bitmap = bitmap.FromBytes(byt[:bcap])
 	return bcap, nil
 }

pkg/iso8583/bitmap_test.go

@@ -27,6 +27,17 @@ func TestBITMAP_MarshalISO8583(t *testing.T) {
 func TestBITMAP_UnmarshalISO8583_nil_input(t *testing.T) {
 	var bmap iso8583.BITMAP
 
+	n, bmapErr := bmap.UnmarshalISO8583([]byte{1, 1, 1}, 64, "ascii")
+
+	assert.Equal(t, 0, n)
+	if assert.NotNil(t, bmapErr) {
+		assert.Equal(t, bmapErr.Error(), "bitmap should be 8 bytes long but only 3 bytes are avaiable")
+	}
+}
+
+func TestBITMAP_UnmarshalISO8583_too_short_input(t *testing.T) {
+	var bmap iso8583.BITMAP
+
 	n, bmapErr := bmap.UnmarshalISO8583(nil, 64, "ascii")
 
 	assert.Equal(t, 0, n)