From: Sean Purcell <me@seanp.xyz>
Date: Wed, 1 Feb 2017 18:41:04 +0000 (-0800)
Subject: Minor security fixes
X-Git-Tag: v1.1.4~1^2~77^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=823d8c233bd7a12aefee349d7556855ea3894487;p=thirdparty%2Fzstd.git

Minor security fixes
---

diff --git a/contrib/educational_decoder/harness.c b/contrib/educational_decoder/harness.c
index 107a16a22..cff8239d6 100644
--- a/contrib/educational_decoder/harness.c
+++ b/contrib/educational_decoder/harness.c
@@ -98,7 +98,7 @@ int main(int argc, char **argv) {
     }
 
     size_t decompressed =
-        ZSTD_decompress_with_dict(output, input_size * MAX_COMPRESSION_RATIO,
+        ZSTD_decompress_with_dict(output, decompressed_size,
                                   input, input_size, dict, dict_size);
 
     write_file(argv[2], output, decompressed);
diff --git a/contrib/educational_decoder/zstd_decompress.c b/contrib/educational_decoder/zstd_decompress.c
index 3c1c56730..e2fbcf2cf 100644
--- a/contrib/educational_decoder/zstd_decompress.c
+++ b/contrib/educational_decoder/zstd_decompress.c
@@ -1331,6 +1331,8 @@ static void execute_sequences(io_streams_t *const streams,
                 }
                 match_length -= dict_copy;
             }
+        } else if (offset > ctx->header.window_size) {
+            CORRUPTION();
         }
 
         // We must copy byte by byte because the match length might be larger