SECURITY: Additional CPU amplification case.

Unfortunately, commit 10487060 missed a case of CPU amplification via struct lists with zero-sized elements.

See advisory: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-05-0-c++-addl-cpu-amplification.md

c++/src/capnp/encoding-test.c++

@@ -1427,17 +1427,24 @@ TEST(Encoding, VoidListAmplification) {
 }
 
 TEST(Encoding, EmptyStructListAmplification) {
-  MallocMessageBuilder builder;
-  builder.initRoot<test::TestAnyPointer>().getAnyPointerField()
-      .initAs<List<test::TestEmptyStruct>>(1u << 28);
+  MallocMessageBuilder builder(1024);
+  auto listList = builder.initRoot<test::TestAnyPointer>().getAnyPointerField()
+      .initAs<List<List<test::TestEmptyStruct>>>(500);
+
+  for (uint i = 0; i < listList.size(); i++) {
+    listList.init(i, 1u << 28);
+  }
 
   auto segments = builder.getSegmentsForOutput();
-  EXPECT_EQ(1, segments.size());
-  EXPECT_LT(segments[0].size(), 16);  // quite small for such a big list!
+  ASSERT_EQ(1, segments.size());
 
   SegmentArrayMessageReader reader(builder.getSegmentsForOutput());
-  auto root = reader.getRoot<test::TestAnyPointer>().getAnyPointerField();
-  EXPECT_NONFATAL_FAILURE(root.getAs<List<TestAllTypes>>());
+  auto root = reader.getRoot<test::TestAnyPointer>();
+  auto listListReader = root.getAnyPointerField().getAs<List<List<TestAllTypes>>>();
+  EXPECT_NONFATAL_FAILURE(listListReader[0]);
+  EXPECT_NONFATAL_FAILURE(listListReader[10]);
+
+  EXPECT_EQ(segments[0].size() - 1, root.totalSize().wordCount);
 }
 
 TEST(Encoding, Constants) {

c++/src/capnp/layout.c++

@@ -555,8 +555,9 @@ struct WireHelpers {
             WordCount dataSize = elementTag->structRef.dataSize.get();
             WirePointerCount pointerCount = elementTag->structRef.ptrCount.get();
 
-            word* pos = ptr + POINTER_SIZE_IN_WORDS;
             uint count = elementTag->inlineCompositeListElementCount() / ELEMENTS;
+            if (pointerCount > 0 * POINTERS) {
+              word* pos = ptr + POINTER_SIZE_IN_WORDS;
               for (uint i = 0; i < count; i++) {
                 pos += dataSize;
 
@@ -565,6 +566,7 @@ struct WireHelpers {
                   pos += POINTER_SIZE_IN_WORDS;
                 }
               }
+            }
 
             memset(ptr, 0, (elementTag->structRef.wordSize() * count + POINTER_SIZE_IN_WORDS)
                            * BYTES_PER_WORD / BYTES);
@@ -680,8 +682,6 @@ struct WireHelpers {
               return result;
             }
 
-            result.wordCount += wordCount + POINTER_SIZE_IN_WORDS;
-
             const WirePointer* elementTag = reinterpret_cast<const WirePointer*>(ptr);
             ElementCount count = elementTag->inlineCompositeListElementCount();
 
@@ -690,15 +690,20 @@ struct WireHelpers {
               return result;
             }
 
-            KJ_REQUIRE(elementTag->structRef.wordSize() / ELEMENTS *
-                       ElementCount64(count) <= wordCount,
+            auto actualSize = elementTag->structRef.wordSize() / ELEMENTS * ElementCount64(count);
+            KJ_REQUIRE(actualSize <= wordCount,
                        "Struct list pointer's elements overran size.") {
               return result;
             }
 
+            // We count the actual size rather than the claimed word count because that's what
+            // we'll end up with if we make a copy.
+            result.wordCount += actualSize + POINTER_SIZE_IN_WORDS;
+
             WordCount dataSize = elementTag->structRef.dataSize.get();
             WirePointerCount pointerCount = elementTag->structRef.ptrCount.get();
 
+            if (pointerCount > 0 * POINTERS) {
               const word* pos = ptr + POINTER_SIZE_IN_WORDS;
               for (uint i = 0; i < count / ELEMENTS; i++) {
                 pos += dataSize;
@@ -709,6 +714,7 @@ struct WireHelpers {
                   pos += POINTER_SIZE_IN_WORDS;
                 }
               }
+            }
             break;
           }
         }