From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sun, 19 Apr 2026 13:47:11 +0000 (+0200)
Subject: compress: gracefully handle a truncated ZSTD frame
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35eb598af26f66c94d7403f6170d5cae438871fb;p=thirdparty%2Fsystemd.git

compress: gracefully handle a truncated ZSTD frame

If a journal file contains a truncated ZSTD frame (i.e. a frame with
Frame_Content_Size > 0, but with not enough data in Data_Block),
ZSTD_decompressStream() would return a non-zero, non-error value. This
would then skip the error path in the ZSTD_isError() branch and we'd hit
the following assert:

$ build-local/journalctl -o cat --file zstd-truncated.journal
Assertion 'output.pos >= prefix_len + 1' failed at src/basic/compress.c:1236, function decompress_startswith_zstd(). Aborting.
Aborted                    (core dumped) build-local/journalctl -o cat --file zstd-truncated.journal

Let's handle this situation gracefully and return EBADMSG instead.

Also, add another journalctl invocation to the corrupted-journals test
that goes through the sd_journal_get_data() -> decompress_startswith_zstd()
code path which, among other things, covers the issue when run on the
provided journal file.
---

diff --git a/src/basic/compress.c b/src/basic/compress.c
index 72e336bc689..4beaa0f6bd2 100644
--- a/src/basic/compress.c
+++ b/src/basic/compress.c
@@ -1233,7 +1233,9 @@ static int decompress_startswith_zstd(
                 log_debug("ZSTD decoder failed: %s", sym_ZSTD_getErrorName(k));
                 return zstd_ret_to_errno(k);
         }
-        assert(output.pos >= prefix_len + 1);
+
+        if (output.pos < prefix_len + 1)
+                return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "ZSTD decoded less data than indicated, probably corrupted stream.");
 
         return memcmp(*buffer, prefix, prefix_len) == 0 &&
                 ((const uint8_t*) *buffer)[prefix_len] == extra;
diff --git a/test/test-journals/corrupted/zstd-truncated-frame.zst b/test/test-journals/corrupted/zstd-truncated-frame.zst
new file mode 100644
index 00000000000..66db974981f
Binary files /dev/null and b/test/test-journals/corrupted/zstd-truncated-frame.zst differ
diff --git a/test/units/TEST-04-JOURNAL.corrupted-journals.sh b/test/units/TEST-04-JOURNAL.corrupted-journals.sh
index 3dd0fc6dde5..0a8d7e030e8 100755
--- a/test/units/TEST-04-JOURNAL.corrupted-journals.sh
+++ b/test/units/TEST-04-JOURNAL.corrupted-journals.sh
@@ -20,6 +20,7 @@ if [[ "$(systemd-detect-virt -v)" != "qemu" ]]; then
         timeout 10 journalctl --file="$file" --boot >/dev/null || [[ $? -lt 124 ]]
         timeout 10 journalctl --file="$file" --verify >/dev/null || [[ $? -lt 124 ]]
         timeout 10 journalctl --file="$file" --output=export >/dev/null || [[ $? -lt 124 ]]
+        timeout 10 journalctl --file="$file" --grep=. >/dev/null || [[ $? -lt 124 ]]
         timeout 10 journalctl --file="$file" --fields >/dev/null || [[ $? -lt 124 ]]
         timeout 10 journalctl --file="$file" --list-boots >/dev/null || [[ $? -lt 124 ]]
         if [[ -x /usr/lib/systemd/systemd-journal-remote ]]; then
@@ -36,6 +37,7 @@ fi
 timeout 30 journalctl --directory="$JOURNAL_DIR" --boot >/dev/null || [[ $? -lt 124 ]]
 timeout 30 journalctl --directory="$JOURNAL_DIR" --verify >/dev/null || [[ $? -lt 124 ]]
 timeout 30 journalctl --directory="$JOURNAL_DIR" --output=export >/dev/null || [[ $? -lt 124 ]]
+timeout 30 journalctl --directory="$JOURNAL_DIR" --grep=. >/dev/null || [[ $? -lt 124 ]]
 timeout 30 journalctl --directory="$JOURNAL_DIR" --fields >/dev/null || [[ $? -lt 124 ]]
 timeout 30 journalctl --directory="$JOURNAL_DIR" --list-boots >/dev/null || [[ $? -lt 124 ]]
 if [[ -x /usr/lib/systemd/systemd-journal-remote ]]; then