From: Nick Terrell Date: Fri, 4 Nov 2016 23:18:59 +0000 (-0700) Subject: Fix bug in zstd v0.{5, 6} dictionary decompression X-Git-Tag: v1.1.2~87^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F443%2Fhead;p=thirdparty%2Fzstd.git Fix bug in zstd v0.{5, 6} dictionary decompression Introduced by bb68062c590dbd46905907dd2a63a658040a79d4. --- diff --git a/lib/legacy/zstd_v05.c b/lib/legacy/zstd_v05.c index 201bf3c6b..f63a97fd7 100644 --- a/lib/legacy/zstd_v05.c +++ b/lib/legacy/zstd_v05.c @@ -2996,7 +2996,7 @@ size_t ZSTDv05_decodeLiteralsBlock(ZSTDv05_DCtx* dctx, lhSize=3; litSize = ((istart[0] & 15) << 6) + (istart[1] >> 2); litCSize = ((istart[1] & 3) << 8) + istart[2]; - if (litCSize + litSize > srcSize) return ERROR(corruption_detected); + if (litCSize + lhSize > srcSize) return ERROR(corruption_detected); errorCode = HUFv05_decompress1X4_usingDTable(dctx->litBuffer, litSize, istart+lhSize, litCSize, dctx->hufTableX4); if (HUFv05_isError(errorCode)) return ERROR(corruption_detected); diff --git a/lib/legacy/zstd_v06.c b/lib/legacy/zstd_v06.c index b6fde3aa6..88be49438 100644 --- a/lib/legacy/zstd_v06.c +++ b/lib/legacy/zstd_v06.c @@ -3186,7 +3186,7 @@ size_t ZSTDv06_decodeLiteralsBlock(ZSTDv06_DCtx* dctx, lhSize=3; litSize = ((istart[0] & 15) << 6) + (istart[1] >> 2); litCSize = ((istart[1] & 3) << 8) + istart[2]; - if (litCSize + litSize > srcSize) return ERROR(corruption_detected); + if (litCSize + lhSize > srcSize) return ERROR(corruption_detected); { size_t const errorCode = HUFv06_decompress1X4_usingDTable(dctx->litBuffer, litSize, istart+lhSize, litCSize, dctx->hufTableX4); if (HUFv06_isError(errorCode)) return ERROR(corruption_detected);