FPREncodePerfSessions causes heap-buffer overflow

### [REQUIRED] Step 1: Describe your environment

  * Xcode version: 12.5.1
  * Firebase SDK version: 8.7.0
  * Installation method: `CocoaPods`
  * Firebase Component: Performance

### [REQUIRED] Step 2: Describe the problem

#### Steps to reproduce:

While running an app that includes Firebase Performance with the Address Sanitizer on, a heap-buffer-overflow was reported in FPREncodePerfSessions() (FPRNanoPbUtils.m:224).

FPREncodePerfSessions() is allocating an array of size 0 and then set a value for the first element of this array.
I believe that line 226:
`perfSessions[perfSessionIndex].session_verbosity_count = 1;`
should be moved up to line 221, just before :
`perfSessions[perfSessionIndex].session_verbosity =
          calloc(perfSessions[perfSessionIndex].session_verbosity_count,
                 sizeof(firebase_perf_v1_SessionVerbosity));`

What follows is a full copy of the console log:
```
2021-10-21 23:02:49.681735+0200 Runner[384:9452] 
2021-10-21 23:02:49.681785+0200 Runner[384:9452] Thread T1 created by T0 here:
2021-10-21 23:02:49.681846+0200 Runner[384:9452]     <empty stack>
2021-10-21 23:02:49.682064+0200 Runner[384:9452] 
2021-10-21 23:02:49.682203+0200 Runner[384:9452] SUMMARY: AddressSanitizer: heap-buffer-overflow (/private/var/containers/Bundle/Application/A73A6C74-6EC4-4778-9796-85F93E8084F1/Runner.app/Frameworks/FirebasePerformance.framework/FirebasePerformance:arm64+0x45eb8) in __FPREncodePerfSessions_block_invoke+0x77c
2021-10-21 23:02:49.682353+0200 Runner[384:9452] Shadow bytes around the buggy address:
2021-10-21 23:02:49.682551+0200 Runner[384:9452]   0x000139362f00: fa fa fa fa fa fa 00 03 fa fa 00 01 fa fa 00 00
2021-10-21 23:02:49.682695+0200 Runner[384:9452]   0x000139362f10: fa fa 00 06 fa fa 00 04 fa fa 00 fa fa fa 00 00
2021-10-21 23:02:49.682908+0200 Runner[384:9452]   0x000139362f20: fa fa 00 00 fa fa fa fa fa fa 07 fa fa fa fa fa
2021-10-21 23:02:49.683024+0200 Runner[384:9452]   0x000139362f30: fa fa 00 00 fa fa 05 fa fa fa fa fa fa fa 05 fa
2021-10-21 23:02:49.683179+0200 Runner[384:9452]   0x000139362f40: fa fa fa fa fa fa 05 fa fa fa fa fa fa fa fa fa
2021-10-21 23:02:49.683343+0200 Runner[384:9452] =>0x000139362f50: fa fa[01]fa fa fa fa fa fa fa 00 00 fa fa fa fa
2021-10-21 23:02:49.683449+0200 Runner[384:9452]   0x000139362f60: fa fa 00 00 fa fa 00 00 fa fa 05 fa fa fa fa fa
2021-10-21 23:02:49.683545+0200 Runner[384:9452]   0x000139362f70: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa fd fd
2021-10-21 23:02:49.683637+0200 Runner[384:9452]   0x000139362f80: fa fa 04 fa fa fa 00 00 fa fa fd fd fa fa 00 00
2021-10-21 23:02:49.683731+0200 Runner[384:9452]   0x000139362f90: fa fa 00 04 fa fa fd fd fa fa 00 00 fa fa 00 00
2021-10-21 23:02:49.684046+0200 Runner[384:9452]   0x000139362fa0: fa fa 00 06 fa fa 00 fa fa fa 00 00 fa fa fd fd
2021-10-21 23:02:49.684177+0200 Runner[384:9452] Shadow byte legend (one shadow byte represents 8 application bytes):
2021-10-21 23:02:49.684367+0200 Runner[384:9452]   Addressable:           00
2021-10-21 23:02:49.684467+0200 Runner[384:9452]   Partially addressable: 01 02 03 04 05 06 07
2021-10-21 23:02:49.684664+0200 Runner[384:9452]   Heap left redzone:       fa
2021-10-21 23:02:49.684779+0200 Runner[384:9452]   Freed heap region:       fd
2021-10-21 23:02:49.684954+0200 Runner[384:9452]   Stack left redzone:      f1
2021-10-21 23:02:49.685186+0200 Runner[384:9452]   Stack mid redzone:       f2
2021-10-21 23:02:49.685262+0200 Runner[384:9452]   Stack right redzone:     f3
2021-10-21 23:02:49.685424+0200 Runner[384:9452]   Stack after return:      f5
2021-10-21 23:02:49.685527+0200 Runner[384:9452]   Stack use after scope:   f8
2021-10-21 23:02:49.685636+0200 Runner[384:9452]   Global redzone:          f9
2021-10-21 23:02:49.685773+0200 Runner[384:9452]   Global init order:       f6
2021-10-21 23:02:49.686026+0200 Runner[384:9452]   Poisoned by user:        f7
2021-10-21 23:02:49.686118+0200 Runner[384:9452]   Container overflow:      fc
2021-10-21 23:02:49.686242+0200 Runner[384:9452]   Array cookie:            ac
2021-10-21 23:02:49.686355+0200 Runner[384:9452]   Intra object redzone:    bb
2021-10-21 23:02:49.686447+0200 Runner[384:9452]   ASan internal:           fe
2021-10-21 23:02:49.686771+0200 Runner[384:9452]   Left alloca redzone:     ca
2021-10-21 23:02:49.687040+0200 Runner[384:9452]   Right alloca redzone:    cb
2021-10-21 23:02:49.687124+0200 Runner[384:9452]   Shadow gap:              cc
==384==ABORTING
Warning: hit breakpoint while running function, skipping commands and conditions to prevent recursion.
AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.
(lldb) thread info -s
thread #2: tid = 0x24ec, 0x0000000100c10b10 libclang_rt.asan_ios_dynamic.dylib`__asan::AsanDie(), queue = 'com.google.perf.FPREventsQueue', stop reason = Heap buffer overflow

{
  "access_size": 4,
  "access_type": 1,
  "address": 6082886288,
  "description": "heap-buffer-overflow",
  "instrumentation_class": "AddressSanitizer",
  "pc": 4371455676,
  "stop_type": "fatal_error"
}
(lldb)
```
![Screenshot](https://user-images.githubusercontent.com/92953253/138358583-4b90a0da-70ce-4c4a-83c5-2ed51b3a21c1.png)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FPREncodePerfSessions causes heap-buffer overflow #8849

[REQUIRED] Step 1: Describe your environment

[REQUIRED] Step 2: Describe the problem

Steps to reproduce:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development