mirror/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2025-12-06 14:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

std.compress.xz: Avoid possible integer overflow in a few places

Browse Source
This commit is contained in:
Ryan Liptak 2023-02-02 16:54:31 -08:00 committed by fn ⌃ ⌥
parent baa877fd12
commit d57813e3e9
4 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/std/compress/lzma/decode/lzma2.zig
View File

@ -155,7 +155,7 @@ pub const Lzma2Decoder = struct {
accum: *LzAccumBuffer,
reset_dict: bool,
) !void {
const unpacked_size = try reader.readIntBig(u16) + 1; // TODO: overflow
const unpacked_size = @as(u17, try reader.readIntBig(u16)) + 1;
if (reset_dict) {
try accum.reset(writer);

2
lib/std/compress/xz.zig
View File

@ -118,7 +118,7 @@ pub fn Decompress(comptime ReaderType: type) type {
var hasher = std.compress.hashedReader(self.in_reader, Crc32.init());
const hashed_reader = hasher.reader();
const backward_size = (try hashed_reader.readIntLittle(u32) + 1) * 4;
const backward_size = (@as(u64, try hashed_reader.readIntLittle(u32)) + 1) * 4;
if (backward_size != index_size)
return error.CorruptInput;

2
lib/std/compress/xz/block.zig
View File

@ -97,7 +97,7 @@ pub fn Decoder(comptime ReaderType: type) type {
var header_hasher = std.compress.hashedReader(block_reader, Crc32.init());
const header_reader = header_hasher.reader();
const header_size = try header_reader.readByte() * 4;
const header_size = @as(u64, try header_reader.readByte()) * 4;
if (header_size == 0)
return error.EndOfStreamWithNoError;

20
lib/std/compress/xz/test.zig
View File

@ -78,3 +78,23 @@ test "unsupported" {
);
}
}
fn testDontPanic(data: []const u8) !void {
const buf = decompress(data) catch |err| switch (err) {
error.OutOfMemory => |e| return e,
else => return,
};
defer testing.allocator.free(buf);
}
test "size fields: integer overflow avoidance" {
// These cases were found via fuzz testing and each previously caused
// an integer overflow when decoding. We just want to ensure they no longer
// cause a panic
const header_size_overflow = "\xfd7zXZ\x00\x00\x01i\"\xde6z";
try testDontPanic(header_size_overflow);
const lzma2_chunk_size_overflow = "\xfd7zXZ\x00\x00\x01i\"\xde6\x02\x00!\x01\x08\x00\x00\x00\xd8\x0f#\x13\x01\xff\xff";
try testDontPanic(lzma2_chunk_size_overflow);
const backward_size_overflow = "\xfd7zXZ\x00\x00\x01i\"\xde6\x00\x00\x00\x00\x1c\xdfD!\x90B\x99\r\x01\x00\x00\xff\xff\x10\x00\x00\x00\x01DD\xff\xff\xff\x01";
try testDontPanic(backward_size_overflow);
}