Error if reported size is too large in edge case

author Nick Terrell <terrelln@fb.com>

Wed, 23 May 2018 21:47:20 +0000 (14:47 -0700)

committer Nick Terrell <terrelln@fb.com>

Wed, 23 May 2018 21:47:20 +0000 (14:47 -0700)
author Nick Terrell <terrelln@fb.com>
Wed, 23 May 2018 21:47:20 +0000 (14:47 -0700)
committer Nick Terrell <terrelln@fb.com>
Wed, 23 May 2018 21:47:20 +0000 (14:47 -0700)
diff --git a/lib/common/entropy_common.c b/lib/common/entropy_common.c

index a8d0b146becf2df12dd2fcda2e65841054cc444c..2edb6e9be51384f81bf84e337d096eee6bbbd2e1 100644 (file)
--- a/lib/common/entropy_common.c
+++ b/lib/common/entropy_common.c
@@ -77,8 +77,13 @@ size_t FSE_readNCount (short* normalizedCounter, unsigned* maxSVPtr, unsigned* t
        char buffer[4];
        memset(buffer, 0, sizeof(buffer));
        memcpy(buffer, headerBuffer, hbSize);
-      return FSE_readNCount(normalizedCounter, maxSVPtr, tableLogPtr, buffer, sizeof(buffer));
+      size_t const countSize = FSE_readNCount(normalizedCounter, maxSVPtr, tableLogPtr,
+                                              buffer, sizeof(buffer));
+      if (FSE_isError(countSize)) return countSize;
+      if (countSize > hbSize) return ERROR(corruption_detected);
+      return countSize;
      }
+    assert(hbSize >= 4);
  
      bitStream = MEM_readLE32(ip);
      nbBits = (bitStream & 0xF) + FSE_MIN_TABLELOG;   /* extract tableLog */
author	Nick Terrell <terrelln@fb.com>
	Wed, 23 May 2018 21:47:20 +0000 (14:47 -0700)
committer	Nick Terrell <terrelln@fb.com>
	Wed, 23 May 2018 21:47:20 +0000 (14:47 -0700)