From: Nick Terrell <nickrterrell@gmail.com>
Date: Fri, 20 Sep 2019 15:25:12 +0000 (-0700)
Subject: Fix bounds check in ZSTD_storeSeq()
X-Git-Tag: v1.4.4~1^2~42^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fde217df0440ed5b05fd6f0ceb53d73b4902820e;p=thirdparty%2Fzstd.git

Fix bounds check in ZSTD_storeSeq()
---

diff --git a/lib/compress/zstd_compress_internal.h b/lib/compress/zstd_compress_internal.h
index bc654bcc9..83221757e 100644
--- a/lib/compress/zstd_compress_internal.h
+++ b/lib/compress/zstd_compress_internal.h
@@ -361,8 +361,8 @@ MEM_STATIC void ZSTD_storeSeq(seqStore_t* seqStorePtr, size_t litLength, const B
     assert(seqStorePtr->maxNbLit <= 128 KB);
     assert(seqStorePtr->lit + litLength <= seqStorePtr->litStart + seqStorePtr->maxNbLit);
     /* We are guaranteed at least 8 bytes of literals space because of HASH_READ_SIZE. */
-    assert(litLimit - literals >= HASH_READ_SIZE);
-    if (litLimit - literals >= WILDCOPY_OVERLENGTH)
+    assert(literals + litLength + HASH_READ_SIZE <= litLimit);
+    if (literals + litLength + WILDCOPY_OVERLENGTH <= litLimit)
 	    ZSTD_wildcopy(seqStorePtr->lit, literals, (ptrdiff_t)litLength, ZSTD_no_overlap);
     else
 	    ZSTD_wildcopy8(seqStorePtr->lit, literals, (ptrdiff_t)litLength);