5717bd39ee
When the output buffer is `NULL` with size 0, but the frame content size is non-zero, we will write to the NULL pointer because our bounds check underflowed. This was exposed by a recent PR that allowed an empty frame into the single-pass shortcut in streaming mode. * Fix the bug. * Fix another NULL dereference in zstd-v1. * Overflow checks in 32-bit mode. * Add a dedicated test. * Expose the bug in the dedicated simple_decompress fuzzer. * Switch all mallocs in fuzzers to return NULL for size=0. * Fix a new timeout in a fuzzer. Neither clang nor gcc show a decompression speed regression on x86-64. On x86-32 clang is slightly positive and gcc loses 2.5% of speed. Credit to OSS-Fuzz. |
||
|---|---|---|
| .. | ||
| huf_decompress.c | ||
| zstd_ddict.c | ||
| zstd_ddict.h | ||
| zstd_decompress_block.c | ||
| zstd_decompress_block.h | ||
| zstd_decompress_internal.h | ||
| zstd_decompress.c | ||