Minor security fixes

author Sean Purcell <me@seanp.xyz>

Wed, 1 Feb 2017 18:41:04 +0000 (10:41 -0800)

committer Sean Purcell <me@seanp.xyz>

Wed, 1 Feb 2017 18:41:04 +0000 (10:41 -0800)
author Sean Purcell <me@seanp.xyz>
Wed, 1 Feb 2017 18:41:04 +0000 (10:41 -0800)
committer Sean Purcell <me@seanp.xyz>
Wed, 1 Feb 2017 18:41:04 +0000 (10:41 -0800)
diff --git a/contrib/educational_decoder/harness.c b/contrib/educational_decoder/harness.c

index 107a16a22cfa6f9537a4764b92da490acec619c2..cff8239d6f0884179597dca00ceba6f399c9dc89 100644 (file)
--- a/contrib/educational_decoder/harness.c
+++ b/contrib/educational_decoder/harness.c
@@ -98,7 +98,7 @@ int main(int argc, char **argv) {
      }
  
      size_t decompressed =
-        ZSTD_decompress_with_dict(output, input_size * MAX_COMPRESSION_RATIO,
+        ZSTD_decompress_with_dict(output, decompressed_size,
                                    input, input_size, dict, dict_size);
  
      write_file(argv[2], output, decompressed);
diff --git a/contrib/educational_decoder/zstd_decompress.c b/contrib/educational_decoder/zstd_decompress.c

index 3c1c567302cd6b71d2c824e03884de832cd59662..e2fbcf2cf06014b76fa73521f0bc8185fecf2e6c 100644 (file)
--- a/contrib/educational_decoder/zstd_decompress.c
+++ b/contrib/educational_decoder/zstd_decompress.c
@@ -1331,6 +1331,8 @@ static void execute_sequences(io_streams_t *const streams,
                  }
                  match_length -= dict_copy;
              }
+        } else if (offset > ctx->header.window_size) {
+            CORRUPTION();
          }
  
          // We must copy byte by byte because the match length might be larger
author	Sean Purcell <me@seanp.xyz>
	Wed, 1 Feb 2017 18:41:04 +0000 (10:41 -0800)
committer	Sean Purcell <me@seanp.xyz>
	Wed, 1 Feb 2017 18:41:04 +0000 (10:41 -0800)
contrib/educational_decoder/harness.c		patch \| blob \| blame \| history
contrib/educational_decoder/zstd_decompress.c		patch \| blob \| blame \| history