From: Nick Terrell <terrelln@fb.com>
Date: Wed, 23 May 2018 21:47:20 +0000 (-0700)
Subject: Error if reported size is too large in edge case
X-Git-Tag: v1.3.5~3^2~46^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c92dd11940f68c71d3b627de2612537b7e2ae92a;p=thirdparty%2Fzstd.git

Error if reported size is too large in edge case
---

diff --git a/lib/common/entropy_common.c b/lib/common/entropy_common.c
index a8d0b146b..2edb6e9be 100644
--- a/lib/common/entropy_common.c
+++ b/lib/common/entropy_common.c
@@ -77,8 +77,13 @@ size_t FSE_readNCount (short* normalizedCounter, unsigned* maxSVPtr, unsigned* t
       char buffer[4];
       memset(buffer, 0, sizeof(buffer));
       memcpy(buffer, headerBuffer, hbSize);
-      return FSE_readNCount(normalizedCounter, maxSVPtr, tableLogPtr, buffer, sizeof(buffer));
+      size_t const countSize = FSE_readNCount(normalizedCounter, maxSVPtr, tableLogPtr,
+                                              buffer, sizeof(buffer));
+      if (FSE_isError(countSize)) return countSize;
+      if (countSize > hbSize) return ERROR(corruption_detected);
+      return countSize;
     }
+    assert(hbSize >= 4);
 
     bitStream = MEM_readLE32(ip);
     nbBits = (bitStream & 0xF) + FSE_MIN_TABLELOG;   /* extract tableLog */