From dc904ad17bf608db483f6187bdbcd5ed43fea88d Mon Sep 17 00:00:00 2001 From: Nick Terrell Date: Fri, 4 Nov 2016 16:18:59 -0700 Subject: [PATCH] Fix bug in zstd v0.{5, 6} dictionary decompression Introduced by bb68062c590dbd46905907dd2a63a658040a79d4. --- lib/legacy/zstd_v05.c | 2 +- lib/legacy/zstd_v06.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/legacy/zstd_v05.c b/lib/legacy/zstd_v05.c index 201bf3c6..f63a97fd 100644 --- a/lib/legacy/zstd_v05.c +++ b/lib/legacy/zstd_v05.c @@ -2996,7 +2996,7 @@ size_t ZSTDv05_decodeLiteralsBlock(ZSTDv05_DCtx* dctx, lhSize=3; litSize = ((istart[0] & 15) << 6) + (istart[1] >> 2); litCSize = ((istart[1] & 3) << 8) + istart[2]; - if (litCSize + litSize > srcSize) return ERROR(corruption_detected); + if (litCSize + lhSize > srcSize) return ERROR(corruption_detected); errorCode = HUFv05_decompress1X4_usingDTable(dctx->litBuffer, litSize, istart+lhSize, litCSize, dctx->hufTableX4); if (HUFv05_isError(errorCode)) return ERROR(corruption_detected); diff --git a/lib/legacy/zstd_v06.c b/lib/legacy/zstd_v06.c index b6fde3aa..88be4943 100644 --- a/lib/legacy/zstd_v06.c +++ b/lib/legacy/zstd_v06.c @@ -3186,7 +3186,7 @@ size_t ZSTDv06_decodeLiteralsBlock(ZSTDv06_DCtx* dctx, lhSize=3; litSize = ((istart[0] & 15) << 6) + (istart[1] >> 2); litCSize = ((istart[1] & 3) << 8) + istart[2]; - if (litCSize + litSize > srcSize) return ERROR(corruption_detected); + if (litCSize + lhSize > srcSize) return ERROR(corruption_detected); { size_t const errorCode = HUFv06_decompress1X4_usingDTable(dctx->litBuffer, litSize, istart+lhSize, litCSize, dctx->hufTableX4); if (HUFv06_isError(errorCode)) return ERROR(corruption_detected);