From: Yann Collet <Cyan4973@users.noreply.github.com>
Date: Tue, 5 Mar 2024 21:40:12 +0000 (-0800)
Subject: Merge pull request #3840 from aimuz/fix-reserved
X-Git-Tag: v1.5.6^2~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8689633fdf5dabfc7f4cd6f79611335c3f8def88;p=thirdparty%2Fzstd.git

Merge pull request #3840 from aimuz/fix-reserved

lib/decompress: check for reserved bit corruption in zstd
---

8689633fdf5dabfc7f4cd6f79611335c3f8def88
diff --cc lib/decompress/zstd_decompress_block.c
index 1943d7f57,80c29db69..8d9fea5fd
--- a/lib/decompress/zstd_decompress_block.c
+++ b/lib/decompress/zstd_decompress_block.c
@@@ -718,15 -605,9 +718,16 @@@ size_t ZSTD_decodeSeqHeaders(ZSTD_DCtx
      }
      *nbSeqPtr = nbSeq;
  
 +    if (nbSeq == 0) {
 +        /* No sequence : section ends immediately */
 +        RETURN_ERROR_IF(ip != iend, corruption_detected,
 +            "extraneous data present in the Sequences section");
 +        return (size_t)(ip - istart);
 +    }
 +
      /* FSE table descriptors */
      RETURN_ERROR_IF(ip+1 > iend, srcSize_wrong, ""); /* minimum possible size: 1 byte for symbol encoding types */
+     RETURN_ERROR_IF(*ip & 3, corruption_detected, ""); /* The last field, Reserved, must be all-zeroes. */
      {   symbolEncodingType_e const LLtype = (symbolEncodingType_e)(*ip >> 6);
          symbolEncodingType_e const OFtype = (symbolEncodingType_e)((*ip >> 4) & 3);
          symbolEncodingType_e const MLtype = (symbolEncodingType_e)((*ip >> 2) & 3);