From 18442a31ff4b87263a6138369e8d0880346af0bd Mon Sep 17 00:00:00 2001 From: Nick Terrell Date: Tue, 19 Sep 2017 13:46:07 -0700 Subject: [PATCH 1/2] [libzstd] Fix bad window size assert The window size is not validated or used in the one-pass API, so there shouldn't be an assert based on it. fix-fuzz-failure --- lib/decompress/zstd_decompress.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/decompress/zstd_decompress.c b/lib/decompress/zstd_decompress.c index 6d6d8339..91518990 100644 --- a/lib/decompress/zstd_decompress.c +++ b/lib/decompress/zstd_decompress.c @@ -1372,8 +1372,9 @@ static size_t ZSTD_decompressBlock_internal(ZSTD_DCtx* dctx, * conservative. */ ZSTD_longOffset_e const isLongOffset = (ZSTD_longOffset_e)(MEM_32bits() && (!frame || dctx->fParams.windowSize > (1ULL << STREAM_ACCUMULATOR_MIN))); - /* We don't expect window sizes this big. */ - assert(!frame || dctx->fParams.windowSize <= (1ULL << STREAM_ACCUMULATOR_MIN_64)); + /* windowSize could be any value at this point, since it is only validated + * in the streaming API. + */ DEBUGLOG(5, "ZSTD_decompressBlock_internal"); if (srcSize >= ZSTD_BLOCKSIZE_MAX) return ERROR(srcSize_wrong); From 6c9ed76676075f3772948aae98fdaab69e376370 Mon Sep 17 00:00:00 2001 From: Nick Terrell Date: Tue, 19 Sep 2017 13:49:37 -0700 Subject: [PATCH 2/2] [ldm] Fix corner case where minMatch < 8 There is a potential read buffer overflow when minMatch < 8. fix-fuzz-failure --- lib/compress/zstd_ldm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/compress/zstd_ldm.c b/lib/compress/zstd_ldm.c index e7efecdb..e40007c1 100644 --- a/lib/compress/zstd_ldm.c +++ b/lib/compress/zstd_ldm.c @@ -295,7 +295,7 @@ size_t ZSTD_compressBlock_ldm_generic(ZSTD_CCtx* cctx, const U32 lowestIndex = cctx->dictLimit; const BYTE* const lowest = base + lowestIndex; const BYTE* const iend = istart + srcSize; - const BYTE* const ilimit = iend - ldmParams.minMatchLength; + const BYTE* const ilimit = iend - MAX(ldmParams.minMatchLength, HASH_READ_SIZE); const ZSTD_blockCompressor blockCompressor = ZSTD_selectBlockCompressor(cctx->appliedParams.cParams.strategy, 0); @@ -499,7 +499,7 @@ static size_t ZSTD_compressBlock_ldm_extDict_generic( const BYTE* const lowPrefixPtr = base + dictLimit; const BYTE* const dictEnd = dictBase + dictLimit; const BYTE* const iend = istart + srcSize; - const BYTE* const ilimit = iend - ldmParams.minMatchLength; + const BYTE* const ilimit = iend - MAX(ldmParams.minMatchLength, HASH_READ_SIZE); const ZSTD_blockCompressor blockCompressor = ZSTD_selectBlockCompressor(ctx->appliedParams.cParams.strategy, 1);