From b010b3b6271c629d36aa5f2d83abb954ff6cab2c Mon Sep 17 00:00:00 2001
From: Yann Collet <yann.collet.73@gmail.com>
Date: Wed, 3 Feb 2016 12:39:34 +0100
Subject: [PATCH] Fixed decoding error (afl)

---
 lib/zstd_decompress.c | 18 ++++++++++--------
 lib/zstd_internal.h   |  4 ++--
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/lib/zstd_decompress.c b/lib/zstd_decompress.c
index ce969a45..f0c8c428 100644
--- a/lib/zstd_decompress.c
+++ b/lib/zstd_decompress.c
@@ -432,7 +432,7 @@ size_t ZSTD_decodeLiteralsBlock(ZSTD_DCtx* dctx,
             }
 
             if (lhSize+litSize+WILDCOPY_OVERLENGTH > srcSize) {  /* risk reading beyond src buffer with wildcopy */
-                if (litSize > srcSize-lhSize) return ERROR(corruption_detected);
+                if (litSize+lhSize > srcSize) return ERROR(corruption_detected);
                 memcpy(dctx->litBuffer, istart+lhSize, litSize);
                 dctx->litPtr = dctx->litBuffer;
                 dctx->litBufSize = BLOCKSIZE+8;
@@ -844,28 +844,30 @@ static void ZSTD_checkContinuity(ZSTD_DCtx* dctx, const void* dst)
 
 
 static size_t ZSTD_decompressBlock_internal(ZSTD_DCtx* dctx,
-                            void* dst, size_t maxDstSize,
+                            void* dst, size_t dstCapacity,
                       const void* src, size_t srcSize)
-{
-    /* blockType == blockCompressed */
+{   /* blockType == blockCompressed */
     const BYTE* ip = (const BYTE*)src;
+    size_t litCSize;
+
+    if (srcSize >= BLOCKSIZE) return ERROR(srcSize_wrong);
 
     /* Decode literals sub-block */
-    size_t litCSize = ZSTD_decodeLiteralsBlock(dctx, src, srcSize);
+    litCSize = ZSTD_decodeLiteralsBlock(dctx, src, srcSize);
     if (ZSTD_isError(litCSize)) return litCSize;
     ip += litCSize;
     srcSize -= litCSize;
 
-    return ZSTD_decompressSequences(dctx, dst, maxDstSize, ip, srcSize);
+    return ZSTD_decompressSequences(dctx, dst, dstCapacity, ip, srcSize);
 }
 
 
 size_t ZSTD_decompressBlock(ZSTD_DCtx* dctx,
-                            void* dst, size_t maxDstSize,
+                            void* dst, size_t dstCapacity,
                       const void* src, size_t srcSize)
 {
     ZSTD_checkContinuity(dctx, dst);
-    return ZSTD_decompressBlock_internal(dctx, dst, maxDstSize, src, srcSize);
+    return ZSTD_decompressBlock_internal(dctx, dst, dstCapacity, src, srcSize);
 }
 
 
diff --git a/lib/zstd_internal.h b/lib/zstd_internal.h
index f34fb282..d3f989cd 100644
--- a/lib/zstd_internal.h
+++ b/lib/zstd_internal.h
@@ -102,8 +102,8 @@ static const size_t ZSTD_frameHeaderSize_min = 5;
 
 #define HufLog 12
 
-#define MIN_SEQUENCES_SIZE 1 /* seqNb */
-#define MIN_CBLOCK_SIZE (1 /*litCSize*/ + MIN_SEQUENCES_SIZE)
+#define MIN_SEQUENCES_SIZE 1 /* nbSeq==0 */
+#define MIN_CBLOCK_SIZE (1 /*litCSize*/ + 1 /* RLE or RAW */ + MIN_SEQUENCES_SIZE /* nbSeq==0 */)   /* for a non-null block */
 
 #define WILDCOPY_OVERLENGTH 8