git.ipfire.org Git - thirdparty/zstd.git/commit

]> git.ipfire.org Git - thirdparty/zstd.git/commit - lib/legacy/zstd_v03.c

projects / thirdparty / zstd.git / commit

author	Nick Terrell <terrelln@fb.com>
	Fri, 1 May 2020 23:35:35 +0000 (16:35 -0700)
committer	Nick Terrell <nickrterrell@gmail.com>
	Wed, 6 May 2020 19:09:02 +0000 (12:09 -0700)
commit	5717bd39ee1bd5d2855023652336deeb722a57d5
tree	ffe0a4b55cc2d1faf1f1dd47c5e97d9387b98e55	tree \| snapshot
parent	ad8dbae1b741a8cb6a9fe0808bc841f3ed3bd034	commit \| diff

[lib] Fix NULL pointer dereference

When the output buffer is `NULL` with size 0, but the frame content size
is non-zero, we will write to the NULL pointer because our bounds check
underflowed.

This was exposed by a recent PR that allowed an empty frame into the
single-pass shortcut in streaming mode.

* Fix the bug.
* Fix another NULL dereference in zstd-v1.
* Overflow checks in 32-bit mode.
* Add a dedicated test.
* Expose the bug in the dedicated simple_decompress fuzzer.
* Switch all mallocs in fuzzers to return NULL for size=0.
* Fix a new timeout in a fuzzer.

Neither clang nor gcc show a decompression speed regression on x86-64.
On x86-32 clang is slightly positive and gcc loses 2.5% of speed.

Credit to OSS-Fuzz.

26 files changed:

lib/common/xxhash.c		diff \| blob \| blame \| history
lib/decompress/zstd_decompress_block.c		diff \| blob \| blame \| history
lib/legacy/zstd_v01.c		diff \| blob \| blame \| history
lib/legacy/zstd_v02.c		diff \| blob \| blame \| history
lib/legacy/zstd_v03.c		diff \| blob \| blame \| history
lib/legacy/zstd_v04.c		diff \| blob \| blame \| history
lib/legacy/zstd_v05.c		diff \| blob \| blame \| history
lib/legacy/zstd_v06.c		diff \| blob \| blame \| history
lib/legacy/zstd_v07.c		diff \| blob \| blame \| history
tests/fuzz/Makefile		diff \| blob \| blame \| history
tests/fuzz/block_decompress.c		diff \| blob \| blame \| history
tests/fuzz/block_round_trip.c		diff \| blob \| blame \| history
tests/fuzz/dictionary_decompress.c		diff \| blob \| blame \| history
tests/fuzz/dictionary_loader.c		diff \| blob \| blame \| history
tests/fuzz/dictionary_round_trip.c		diff \| blob \| blame \| history
tests/fuzz/fuzz_data_producer.c		diff \| blob \| blame \| history
tests/fuzz/fuzz_helpers.c	[new file with mode: 0644]	blob
tests/fuzz/fuzz_helpers.h		diff \| blob \| blame \| history
tests/fuzz/simple_compress.c		diff \| blob \| blame \| history
tests/fuzz/simple_decompress.c		diff \| blob \| blame \| history
tests/fuzz/simple_round_trip.c		diff \| blob \| blame \| history
tests/fuzz/stream_decompress.c		diff \| blob \| blame \| history
tests/fuzz/stream_round_trip.c		diff \| blob \| blame \| history
tests/fuzz/zstd_frame_info.c		diff \| blob \| blame \| history
tests/fuzz/zstd_helpers.c		diff \| blob \| blame \| history
tests/fuzzer.c		diff \| blob \| blame \| history

Mirror of https://github.com/facebook/zstd.git

RSS Atom