mirror of
https://github.com/facebook/zstd.git
synced 2025-11-28 23:23:59 +03:00
[legacy] Fix buffer overflow in v0.2 and v0.4 raw literals decompression
Extends the fix in PR#1722 to v0.2 and v0.4. These aren't built into zstd by default, and v0.5 onward are not affected. I only add the `srcSize > BLOCKSIZE` check to v0.4 because the comments say that it must hold, but the equivalent comment isn't present in v0.2. Credit to OSS-Fuzz.
This commit is contained in:
Nick Terrell
@@ -2889,6 +2889,7 @@ static size_t ZSTD_decodeLiteralsBlock(void* ctx,
|
|||||||
const size_t litSize = (MEM_readLE32(istart) & 0xFFFFFF) >> 2; /* no buffer issue : srcSize >= MIN_CBLOCK_SIZE */
|
const size_t litSize = (MEM_readLE32(istart) & 0xFFFFFF) >> 2; /* no buffer issue : srcSize >= MIN_CBLOCK_SIZE */
|
||||||
if (litSize > srcSize-11) /* risk of reading too far with wildcopy */
|
if (litSize > srcSize-11) /* risk of reading too far with wildcopy */
|
||||||
{
|
{
|
||||||
|
if (litSize > BLOCKSIZE) return ERROR(corruption_detected);
|
||||||
if (litSize > srcSize-3) return ERROR(corruption_detected);
|
if (litSize > srcSize-3) return ERROR(corruption_detected);
|
||||||
memcpy(dctx->litBuffer, istart, litSize);
|
memcpy(dctx->litBuffer, istart, litSize);
|
||||||
dctx->litPtr = dctx->litBuffer;
|
dctx->litPtr = dctx->litBuffer;
|
||||||
|
|||||||
@@ -2655,6 +2655,7 @@ static size_t ZSTD_decodeLiteralsBlock(ZSTD_DCtx* dctx,
|
|||||||
const size_t litSize = (MEM_readLE32(istart) & 0xFFFFFF) >> 2; /* no buffer issue : srcSize >= MIN_CBLOCK_SIZE */
|
const size_t litSize = (MEM_readLE32(istart) & 0xFFFFFF) >> 2; /* no buffer issue : srcSize >= MIN_CBLOCK_SIZE */
|
||||||
if (litSize > srcSize-11) /* risk of reading too far with wildcopy */
|
if (litSize > srcSize-11) /* risk of reading too far with wildcopy */
|
||||||
{
|
{
|
||||||
|
if (litSize > BLOCKSIZE) return ERROR(corruption_detected);
|
||||||
if (litSize > srcSize-3) return ERROR(corruption_detected);
|
if (litSize > srcSize-3) return ERROR(corruption_detected);
|
||||||
memcpy(dctx->litBuffer, istart, litSize);
|
memcpy(dctx->litBuffer, istart, litSize);
|
||||||
dctx->litPtr = dctx->litBuffer;
|
dctx->litPtr = dctx->litBuffer;
|
||||||
@@ -3034,9 +3035,12 @@ static size_t ZSTD_decompressBlock_internal(ZSTD_DCtx* dctx,
|
|||||||
{
|
{
|
||||||
/* blockType == blockCompressed */
|
/* blockType == blockCompressed */
|
||||||
const BYTE* ip = (const BYTE*)src;
|
const BYTE* ip = (const BYTE*)src;
|
||||||
|
size_t litCSize;
|
||||||
|
|
||||||
|
if (srcSize > BLOCKSIZE) return ERROR(corruption_detected);
|
||||||
|
|
||||||
/* Decode literals sub-block */
|
/* Decode literals sub-block */
|
||||||
size_t litCSize = ZSTD_decodeLiteralsBlock(dctx, src, srcSize);
|
litCSize = ZSTD_decodeLiteralsBlock(dctx, src, srcSize);
|
||||||
if (ZSTD_isError(litCSize)) return litCSize;
|
if (ZSTD_isError(litCSize)) return litCSize;
|
||||||
ip += litCSize;
|
ip += litCSize;
|
||||||
srcSize -= litCSize;
|
srcSize -= litCSize;
|
||||||
|
|||||||
Reference in New Issue
Block a user