From: Yann Collet Date: Fri, 8 Mar 2024 22:55:38 +0000 (-0800) Subject: new method to deal with offset==0 X-Git-Tag: v1.5.6^2~41^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9fb8d4c41bf3cc829adf20aea3768863d03cd0d;p=thirdparty%2Fzstd.git new method to deal with offset==0 in this new method, when an `offset==0` is detected, it's converted into (size_t)(-1), instead of 1. The logic is that (size_t)(-1) is effectively an extremely large positive number, which will not pass the offset distance test at next stage (`execSequence()`). Checked the source code, and offset is always checked (as it should), using a formula which is not vulnerable to arithmetic overflow: ``` RETURN_ERROR_IF(sequence.offset > (size_t)(oLitEnd - virtualStart), ``` The benefit is that such a case (offset==0) is always detected as corrupted data as opposed to relying on the checksum to detect the error. --- diff --git a/lib/decompress/zstd_decompress_block.c b/lib/decompress/zstd_decompress_block.c index 8d9fea5fd..76d7332e8 100644 --- a/lib/decompress/zstd_decompress_block.c +++ b/lib/decompress/zstd_decompress_block.c @@ -1305,7 +1305,7 @@ ZSTD_decodeSequence(seqState_t* seqState, const ZSTD_longOffset_e longOffsets, c } else { offset = ofBase + ll0 + BIT_readBitsFast(&seqState->DStream, 1); { size_t temp = (offset==3) ? seqState->prevOffset[0] - 1 : seqState->prevOffset[offset]; - temp += !temp; /* 0 is not valid; input is corrupted; force offset to 1 */ + temp -= !temp; /* 0 is not valid: input corrupted => force offset to -1 => corruption detected at execSequence */ if (offset != 1) seqState->prevOffset[2] = seqState->prevOffset[1]; seqState->prevOffset[1] = seqState->prevOffset[0]; seqState->prevOffset[0] = offset = temp;