facebook/zstd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed decoder error (32-bits mode, malicious input)

Browse Source
This commit is contained in:
Yann Collet 2015-11-28 17:09:28 +01:00
parent 00fd7a2110
commit ad50c59bb7
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/zstd_decompress.c
View File

@ -785,11 +785,12 @@ size_t ZSTD_decompressContinue(ZSTD_DCtx* ctx, void* dst, size_t maxDstSize, con
if (srcSize != ctx->expected) return ERROR(srcSize_wrong); if (srcSize != ctx->expected) return ERROR(srcSize_wrong);
if (dst != ctx->previousDstEnd) /* not contiguous */ if (dst != ctx->previousDstEnd) /* not contiguous */
{ {
ctx->dictEnd = ctx->previousDstEnd; if (((char*)dst + maxDstSize > (char*)ctx->base) && (dst < ctx->previousDstEnd)) /* rolling buffer : new segment into dictionary */
if ((dst > ctx->base) && (dst < ctx->previousDstEnd)) /* rolling buffer : new segment right into tracked memory */
ctx->base = (char*)dst + maxDstSize; /* temporary affectation, for vBase calculation */ ctx->base = (char*)dst + maxDstSize; /* temporary affectation, for vBase calculation */
ctx->vBase = (char*)dst - ((char*)(ctx->dictEnd) - (char*)(ctx->base)); ctx->dictEnd = ctx->previousDstEnd;
ctx->vBase = (char*)dst - ((char*)(ctx->previousDstEnd) - (char*)(ctx->base));
ctx->base = dst; ctx->base = dst;
ctx->previousDstEnd = dst;
} }
/* Decompress : frame header; part 1 */ /* Decompress : frame header; part 1 */
@ -839,7 +840,6 @@ size_t ZSTD_decompressContinue(ZSTD_DCtx* ctx, void* dst, size_t maxDstSize, con
ctx->stage = ZSTDds_decompressBlock; ctx->stage = ZSTDds_decompressBlock;
} }
ctx->previousDstEnd = dst;
return 0; return 0;
} }
case 3: case 3: