From: Yann Collet <yann.collet.73@gmail.com>
Date: Tue, 7 Feb 2023 22:02:12 +0000 (-0800)
Subject: fix legacy decoders v0.4, v0.5 and v0.6
X-Git-Tag: v1.5.4^2~6^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94197471719757d9dcf7aca10705d829a45817c8;p=thirdparty%2Fzstd.git

fix legacy decoders v0.4, v0.5 and v0.6
---

diff --git a/lib/legacy/zstd_v04.c b/lib/legacy/zstd_v04.c
index f820134b7..57be832bd 100644
--- a/lib/legacy/zstd_v04.c
+++ b/lib/legacy/zstd_v04.c
@@ -2835,7 +2835,6 @@ static size_t ZSTD_execSequence(BYTE* op,
     if (sequence.litLength > (size_t)(litLimit - *litPtr)) return ERROR(corruption_detected);
     /* Now we know there are no overflow in literal nor match lengths, can use pointer checks */
     if (oLitEnd > oend_8) return ERROR(dstSize_tooSmall);
-    if (sequence.offset > (U32)(oLitEnd - base)) return ERROR(corruption_detected);
 
     if (oMatchEnd > oend) return ERROR(dstSize_tooSmall);   /* overwrite beyond dst buffer */
     if (litEnd > litLimit) return ERROR(corruption_detected);   /* overRead beyond lit buffer */
diff --git a/lib/legacy/zstd_v05.c b/lib/legacy/zstd_v05.c
index 85c4ce79f..93a1169f3 100644
--- a/lib/legacy/zstd_v05.c
+++ b/lib/legacy/zstd_v05.c
@@ -3189,7 +3189,6 @@ static size_t ZSTDv05_execSequence(BYTE* op,
     if (sequence.litLength > (size_t)(litLimit - *litPtr)) return ERROR(corruption_detected);
     /* Now we know there are no overflow in literal nor match lengths, can use pointer checks */
     if (oLitEnd > oend_8) return ERROR(dstSize_tooSmall);
-    if (sequence.offset > (U32)(oLitEnd - base)) return ERROR(corruption_detected);
 
     if (oMatchEnd > oend) return ERROR(dstSize_tooSmall);   /* overwrite beyond dst buffer */
     if (litEnd > litLimit) return ERROR(corruption_detected);   /* overRead beyond lit buffer */
diff --git a/lib/legacy/zstd_v06.c b/lib/legacy/zstd_v06.c
index 097182a4c..175f7cc42 100644
--- a/lib/legacy/zstd_v06.c
+++ b/lib/legacy/zstd_v06.c
@@ -3329,7 +3329,6 @@ static size_t ZSTDv06_execSequence(BYTE* op,
     if (sequence.litLength > (size_t)(litLimit - *litPtr)) return ERROR(corruption_detected);
     /* Now we know there are no overflow in literal nor match lengths, can use pointer checks */
     if (oLitEnd > oend_8) return ERROR(dstSize_tooSmall);
-    if (sequence.offset > (U32)(oLitEnd - base)) return ERROR(corruption_detected);
 
     if (oMatchEnd > oend) return ERROR(dstSize_tooSmall);   /* overwrite beyond dst buffer */
     if (iLitEnd > litLimit) return ERROR(corruption_detected);   /* overRead beyond lit buffer */