From: Yann Collet <yann.collet.73@gmail.com>
Date: Thu, 26 Nov 2015 21:39:29 +0000 (+0100)
Subject: fixed hang bug (infinite loop) in decoder, buffered mode, malicious input
X-Git-Tag: zstd-0.4.0^2~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d248aa1c62c70f3ec4b533b951767fa464a4883d;p=thirdparty%2Fzstd.git

fixed hang bug (infinite loop) in decoder, buffered mode, malicious input
---

diff --git a/lib/zstd_buffered.c b/lib/zstd_buffered.c
index 6040931a1..7cf61ed84 100644
--- a/lib/zstd_buffered.c
+++ b/lib/zstd_buffered.c
@@ -260,7 +260,7 @@ size_t ZBUFF_compressContinue(ZBUFF_CCtx* zbc,
 size_t ZBUFF_compressFlush(ZBUFF_CCtx* zbc, void* dst, size_t* maxDstSizePtr)
 {
     size_t srcSize = 0;
-    ZBUFF_compressContinue_generic(zbc, dst, maxDstSizePtr, &srcSize, &srcSize, 1);
+    ZBUFF_compressContinue_generic(zbc, dst, maxDstSizePtr, &srcSize, &srcSize, 1);  /* use a valid src address instead of NULL, as some sanitizer don't like it */
     return zbc->outBuffContentSize - zbc->outBuffFlushedSize;
 }
 
@@ -511,7 +511,10 @@ size_t ZBUFF_decompressContinue(ZBUFF_DCtx* zbc, void* dst, size_t* maxDstSizePt
                     zbc->stage = ZBUFFds_read;
                     if (zbc->outStart + BLOCKSIZE > zbc->outBuffSize)
                         zbc->outStart = zbc->outEnd = 0;
+                    break;
                 }
+                /* cannot flush everything */
+                notDone = 0;
                 break;
             }
         }