From a9fb8d4c41bf3cc829adf20aea3768863d03cd0d Mon Sep 17 00:00:00 2001 From: Yann Collet Date: Fri, 8 Mar 2024 14:55:38 -0800 Subject: [PATCH] new method to deal with offset==0 in this new method, when an `offset==0` is detected, it's converted into (size_t)(-1), instead of 1. The logic is that (size_t)(-1) is effectively an extremely large positive number, which will not pass the offset distance test at next stage (`execSequence()`). Checked the source code, and offset is always checked (as it should), using a formula which is not vulnerable to arithmetic overflow: ``` RETURN_ERROR_IF(sequence.offset > (size_t)(oLitEnd - virtualStart), ``` The benefit is that such a case (offset==0) is always detected as corrupted data as opposed to relying on the checksum to detect the error. --- lib/decompress/zstd_decompress_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/decompress/zstd_decompress_block.c b/lib/decompress/zstd_decompress_block.c index 8d9fea5fd..76d7332e8 100644 --- a/lib/decompress/zstd_decompress_block.c +++ b/lib/decompress/zstd_decompress_block.c @@ -1305,7 +1305,7 @@ ZSTD_decodeSequence(seqState_t* seqState, const ZSTD_longOffset_e longOffsets, c } else { offset = ofBase + ll0 + BIT_readBitsFast(&seqState->DStream, 1); { size_t temp = (offset==3) ? seqState->prevOffset[0] - 1 : seqState->prevOffset[offset]; - temp += !temp; /* 0 is not valid; input is corrupted; force offset to 1 */ + temp -= !temp; /* 0 is not valid: input corrupted => force offset to -1 => corruption detected at execSequence */ if (offset != 1) seqState->prevOffset[2] = seqState->prevOffset[1]; seqState->prevOffset[1] = seqState->prevOffset[0]; seqState->prevOffset[0] = offset = temp; -- 2.47.2