From: Yann Collet <yann.collet.73@gmail.com>
Date: Mon, 24 Aug 2015 14:47:04 +0000 (+0100)
Subject: Fixed decoding error #11 (reported by @magv)
X-Git-Tag: v0.1.0^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fee8e240c738d9e1b9a63401b5b90ae7e516fde7;p=thirdparty%2Fzstd.git

Fixed decoding error #11 (reported by @magv)
---

diff --git a/lib/zstd.c b/lib/zstd.c
index bcc16c877..b93cca4ee 100644
--- a/lib/zstd.c
+++ b/lib/zstd.c
@@ -1269,7 +1269,7 @@ size_t ZSTD_decodeSeqHeaders(int* nbSeq, const BYTE** dumpsPtr,
     ip += dumpsLength;
 
 	/* check */
-	if (ip > iend-1) return (size_t)-ZSTD_ERROR_SrcSize;
+	if (ip > iend-3) return (size_t)-ZSTD_ERROR_SrcSize; /* min : all 3 are "raw", hence no header, but at least xxLog bits per type */
 
     /* sequences */
     {
@@ -1300,6 +1300,7 @@ size_t ZSTD_decodeSeqHeaders(int* nbSeq, const BYTE** dumpsPtr,
         U32 max;
         case bt_rle :
             Offlog = 0;
+            if (ip > iend-2) return (size_t)-ZSTD_ERROR_SrcSize; /* min : "raw", hence no header, but at least xxLog bits */
             FSE_buildDTable_rle(DTableOffb, *ip++); break;
         case bt_raw :
             Offlog = Offbits;
@@ -1318,6 +1319,7 @@ size_t ZSTD_decodeSeqHeaders(int* nbSeq, const BYTE** dumpsPtr,
         U32 max;
         case bt_rle :
             MLlog = 0;
+            if (ip > iend-2) return (size_t)-ZSTD_ERROR_SrcSize; /* min : "raw", hence no header, but at least xxLog bits */
             FSE_buildDTable_rle(DTableML, *ip++); break;
         case bt_raw :
             MLlog = MLbits;
diff --git a/programs/fileio.c b/programs/fileio.c
index ee23dc01c..c137c78ba 100644
--- a/programs/fileio.c
+++ b/programs/fileio.c
@@ -360,12 +360,13 @@ unsigned long long FIO_decompressFilename(const char* output_filename, const cha
 
         /* Decode block */
         decodedSize = ZSTD_decompressContinue(dctx, op, oend-op, inBuff, readSize);
+        if (ZSTD_isError(decodedSize)) EXM_THROW(35, "Decoding error : input corrupted");
 
         if (decodedSize)   /* not a header */
         {
             /* Write block */
             sizeCheck = fwrite(op, 1, decodedSize, foutput);
-            if (sizeCheck != decodedSize) EXM_THROW(35, "Write error : unable to write data block to destination file");
+            if (sizeCheck != decodedSize) EXM_THROW(36, "Write error : unable to write data block to destination file");
             filesize += decodedSize;
             op += decodedSize;
             if (op==oend) op = outBuff;