From ca306c1c84df962fbfc066cdba8b6d409f20e3c2 Mon Sep 17 00:00:00 2001 From: Yann Collet Date: Wed, 27 Sep 2017 00:39:41 -0700 Subject: [PATCH] fixed a bug in zstreamtest decoder output buffer would receive a wrong size. In previous version, ZSTD_decompressStream() would blindly trust the caller that pos <= size. In this version, this condition is actively checked, and the function returns an error code if this condition is not respected. This check could also be done with an assert(), but since this is a user-facing interface, it seems better to keep this check at runtime. --- lib/decompress/zstd_decompress.c | 12 ++++++++++-- tests/zstreamtest.c | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/decompress/zstd_decompress.c b/lib/decompress/zstd_decompress.c index dc6ab3f3..0380f6a1 100644 --- a/lib/decompress/zstd_decompress.c +++ b/lib/decompress/zstd_decompress.c @@ -2404,8 +2404,16 @@ size_t ZSTD_decompressStream(ZSTD_DStream* zds, ZSTD_outBuffer* output, ZSTD_inB U32 someMoreWork = 1; DEBUGLOG(5, "ZSTD_decompressStream"); - if (input->pos > input->size) return ERROR(GENERIC); /* forbidden */ - if (output->pos > output->size) return ERROR(GENERIC); /* forbidden */ + if (input->pos > input->size) { /* forbidden */ + DEBUGLOG(5, "in: pos: %u vs size: %u", + (U32)input->pos, (U32)input->size); + return ERROR(GENERIC); + } + if (output->pos > output->size) { /* forbidden */ + DEBUGLOG(5, "out: pos: %u vs size: %u", + (U32)output->pos, (U32)output->size); + return ERROR(GENERIC); + } DEBUGLOG(5, "input size : %u", (U32)(input->size - input->pos)); #if defined(ZSTD_LEGACY_SUPPORT) && (ZSTD_LEGACY_SUPPORT>=1) diff --git a/tests/zstreamtest.c b/tests/zstreamtest.c index 613a879b..1f682038 100644 --- a/tests/zstreamtest.c +++ b/tests/zstreamtest.c @@ -914,7 +914,7 @@ static int fuzzerTests(U32 seed, U32 nbTests, unsigned startTest, double compres size_t const randomDstSize = FUZ_randomLength(&lseed, maxSampleLog); size_t const dstBuffSize = MIN(dstBufferSize - totalGenSize, randomDstSize); inBuff.size = inBuff.pos + readCSrcSize; - outBuff.size = inBuff.pos + dstBuffSize; + outBuff.size = outBuff.pos + dstBuffSize; decompressionResult = ZSTD_decompressStream(zd, &outBuff, &inBuff); if (ZSTD_getErrorCode(decompressionResult) == ZSTD_error_checksum_wrong) { DISPLAY("checksum error : \n");