git.ipfire.org Git - thirdparty/zstd.git/commit

author	Nick Terrell <terrelln@fb.com>
	Mon, 14 Jun 2021 18:25:55 +0000 (11:25 -0700)
committer	Nick Terrell <terrelln@fb.com>
	Mon, 14 Jun 2021 18:35:33 +0000 (11:35 -0700)
commit	05b6773fbcce1075edbe498a821f9a41249cf384
tree	4331ab09c4c36ff85c38d25bf8c09bd9bb1af580	tree
parent	89127e5ee2f3c1e141668fa6d4ee91245f05d132	commit \| diff

[fix] Add missing bounds checks during compression

* The block splitter missed a bounds check, so when the buffer is too small it
  passes an erroneously large size to `ZSTD_entropyCompressSeqStore()`, which
  can then write the compressed data past the end of the buffer. This is a new
  regression in v1.5.0 when the block splitter is enabled. It is either enabled
  explicitly, or implicitly when using the optimal parser and `ZSTD_compress2()`
  or `ZSTD_compressStream*()`.
* `HUF_writeCTable_wksp()` omits a bounds check when calling
  `HUF_compressWeights()`. If it is called with `dstCapacity == 0` it will pass
  an erroneously large size to `HUF_compressWeights()`, which can then write
  past the end of the buffer. This bug has been present for ages. However, I
  believe that zstd cannot trigger the bug, because it never calls
  `HUF_compress*()` with `dstCapacity == 0` because of [this check][1].

Credit to: Oss-Fuzz

[1]: https://github.com/facebook/zstd/blob/89127e5ee2f3c1e141668fa6d4ee91245f05d132/lib/compress/zstd_compress_literals.c#L100

lib/compress/huf_compress.c		diff \| blob \| blame \| history
lib/compress/zstd_compress.c		diff \| blob \| blame \| history