From: Nick Terrell <terrelln@fb.com>
Date: Tue, 18 Oct 2016 01:16:57 +0000 (-0700)
Subject: Fix stack buffer overflow in HUF_readCTable()
X-Git-Tag: v1.1.1~21^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd9808704799f74a30246754ebf239ac1e8cafc9;p=thirdparty%2Fzstd.git

Fix stack buffer overflow in HUF_readCTable()

If `w ==0` on line 153, then `CTable[n].nbBits == tableLog + 1`.
Then `nbPerRank[CTable[n].nbBits]` and `valPerRank[CTable[n].nbBits]`
are stack buffer overflows.
---

diff --git a/lib/compress/huf_compress.c b/lib/compress/huf_compress.c
index b7d3d77a2..41de7449a 100644
--- a/lib/compress/huf_compress.c
+++ b/lib/compress/huf_compress.c
@@ -155,8 +155,8 @@ size_t HUF_readCTable (HUF_CElt* CTable, U32 maxSymbolValue, const void* src, si
     }   }
 
     /* fill val */
-    {   U16 nbPerRank[HUF_TABLELOG_MAX+1] = {0};
-        U16 valPerRank[HUF_TABLELOG_MAX+1] = {0};
+    {   U16 nbPerRank[HUF_TABLELOG_MAX+2] = {0};
+        U16 valPerRank[HUF_TABLELOG_MAX+2] = {0};
         { U32 n; for (n=0; n<nbSymbols; n++) nbPerRank[CTable[n].nbBits]++; }
         /* determine stating value per rank */
         {   U16 min = 0;