]> git.ipfire.org Git - thirdparty/zstd.git/commit
projects / thirdparty / zstd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 54ca4b3) | patch
[libzstd] Fix infinite loop in decompression 1446/head
authorNick Terrell <terrelln@fb.com>
Wed, 12 Dec 2018 23:26:35 +0000 (15:26 -0800)
committerNick Terrell <terrelln@fb.com>
Thu, 13 Dec 2018 23:13:19 +0000 (15:13 -0800)
commitaaea4ef92400cb657a0b837b6932a7c390445980
tree564142c2cf4e2225a3204989ea6045b8353aa9c0tree
parent54ca4b3c5d624f16c3a77f7ff2bfd68902f3fc6fcommit | diff
[libzstd] Fix infinite loop in decompression

When we switched `ZSTD_SKIPPABLEHEADERSIZE` to a macro, the places where we do:

    MEM_readLE32(ptr) + ZSTD_SKIPPABLEHEADERSIZE

can now overflow `(unsigned)-8` to `0` and we infinite loop. We now check
the frame size and reject sizes that overflow a U32.

Note that this bug never made it into a release, and was only in the dev branch
for a few days.

Credit to OSS-Fuzz
lib/decompress/zstd_decompress.c diff | blob | blame | history
tests/fuzzer.c diff | blob | blame | history
Mirror of https://github.com/facebook/zstd.git