aaea4ef924
When we switched `ZSTD_SKIPPABLEHEADERSIZE` to a macro, the places where we do:
MEM_readLE32(ptr) + ZSTD_SKIPPABLEHEADERSIZE
can now overflow `(unsigned)-8` to `0` and we infinite loop. We now check
the frame size and reject sizes that overflow a U32.
Note that this bug never made it into a release, and was only in the dev branch
for a few days.
Credit to OSS-Fuzz
|
||
|---|---|---|
| .. | ||
| huf_decompress.c | ||
| zstd_ddict.c | ||
| zstd_ddict.h | ||
| zstd_decompress_block.c | ||
| zstd_decompress_block.h | ||
| zstd_decompress_internal.h | ||
| zstd_decompress.c | ||