From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 11 May 2022 00:46:21 +0000 (+1200)
Subject: compression: fix lzxpress decompress with trailing flags
X-Git-Tag: talloc-2.3.4~155
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ca444929417a8c86108776bba0ad6be3e5efff1;p=thirdparty%2Fsamba.git

compression: fix lzxpress decompress with trailing flags

Every so often, lzxpress adds a 32-bit block of indicator flags to
help decode the next clump of 32 code words. A naive compressor (such
as we have) might do this at the very end for flags that aren't
actually used because there are no more bytes to decompress. If that
happens we need to stop processing, or we'll come to worse outcome at
the next CHECK_INPUT_BYTES.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/compression/lzxpress.c b/lib/compression/lzxpress.c
index de062872560..288fa0bcba8 100644
--- a/lib/compression/lzxpress.c
+++ b/lib/compression/lzxpress.c
@@ -236,6 +236,13 @@ ssize_t lzxpress_decompress(const uint8_t *input,
 			CHECK_INPUT_BYTES(sizeof(uint32_t));
 			indicator = PULL_LE_U32(input, input_index);
 			input_index += sizeof(uint32_t);
+			if (input_index == input_size) {
+				/*
+				 * The compressor left room for indicator
+				 * flags for data that doesn't exist.
+				 */
+				break;
+			}
 			indicator_bit = 32;
 		}
 		indicator_bit--;