From 98547713a354efef406ca79731db8984eb26c051 Mon Sep 17 00:00:00 2001
From: Ryan Liptak <squeek502@hotmail.com>
Date: Fri, 15 Aug 2025 17:38:13 -0700
Subject: [PATCH] zstd: Protect against index out-of-bounds when decoding
 sequences

Previously, index out-of-bounds could occur when copying match_length bytes while decoding whatever sequence happened to overflow `dest`. Now, each sequence checks that there is enough room for the full sequence_length (literal_length + match_length) before doing any copying.

Fixes the failing inputs found here: https://github.com/ziglang/zig/issues/24817#issuecomment-3192927715
---
 lib/std/compress/zstd/Decompress.zig | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/std/compress/zstd/Decompress.zig b/lib/std/compress/zstd/Decompress.zig
index 08fda244f9..0fc807333f 100644
--- a/lib/std/compress/zstd/Decompress.zig
+++ b/lib/std/compress/zstd/Decompress.zig
@@ -765,6 +765,9 @@ pub const Frame = struct {
                 const match_length: usize = sequence.match_length;
                 const sequence_length = literal_length + match_length;
 
+                if (sequence_length > dest[write_pos..].len)
+                    return error.MalformedSequence;
+
                 const copy_start = std.math.sub(usize, write_pos + sequence.literal_length, sequence.offset) catch
                     return error.MalformedSequence;