Commit d57813e3e9

Ryan Liptak <squeek502@hotmail.com>
2023-02-03 01:54:31
std.compress.xz: Avoid possible integer overflow in a few places
master
1 parent baa877f
Changed files (4)
lib
std
compress
lzma
decode
lzma2.zig
xz
block.zig
test.zig
xz.zig
lib/std/compress/lzma/decode/lzma2.zig
@@ -155,7 +155,7 @@ pub const Lzma2Decoder = struct {
         accum: *LzAccumBuffer,
         reset_dict: bool,
     ) !void {
-        const unpacked_size = try reader.readIntBig(u16) + 1; // TODO: overflow
+        const unpacked_size = @as(u17, try reader.readIntBig(u16)) + 1;
 
         if (reset_dict) {
             try accum.reset(writer);
lib/std/compress/xz/block.zig
@@ -97,7 +97,7 @@ pub fn Decoder(comptime ReaderType: type) type {
                 var header_hasher = std.compress.hashedReader(block_reader, Crc32.init());
                 const header_reader = header_hasher.reader();
 
-                const header_size = try header_reader.readByte() * 4;
+                const header_size = @as(u64, try header_reader.readByte()) * 4;
                 if (header_size == 0)
                     return error.EndOfStreamWithNoError;
lib/std/compress/xz/test.zig
@@ -78,3 +78,23 @@ test "unsupported" {
         );
     }
 }
+
+fn testDontPanic(data: []const u8) !void {
+    const buf = decompress(data) catch |err| switch (err) {
+        error.OutOfMemory => |e| return e,
+        else => return,
+    };
+    defer testing.allocator.free(buf);
+}
+
+test "size fields: integer overflow avoidance" {
+    // These cases were found via fuzz testing and each previously caused
+    // an integer overflow when decoding. We just want to ensure they no longer
+    // cause a panic
+    const header_size_overflow = "\xfd7zXZ\x00\x00\x01i\"\xde6z";
+    try testDontPanic(header_size_overflow);
+    const lzma2_chunk_size_overflow = "\xfd7zXZ\x00\x00\x01i\"\xde6\x02\x00!\x01\x08\x00\x00\x00\xd8\x0f#\x13\x01\xff\xff";
+    try testDontPanic(lzma2_chunk_size_overflow);
+    const backward_size_overflow = "\xfd7zXZ\x00\x00\x01i\"\xde6\x00\x00\x00\x00\x1c\xdfD!\x90B\x99\r\x01\x00\x00\xff\xff\x10\x00\x00\x00\x01DD\xff\xff\xff\x01";
+    try testDontPanic(backward_size_overflow);
+}
lib/std/compress/xz.zig
@@ -118,7 +118,7 @@ pub fn Decompress(comptime ReaderType: type) type {
                 var hasher = std.compress.hashedReader(self.in_reader, Crc32.init());
                 const hashed_reader = hasher.reader();
 
-                const backward_size = (try hashed_reader.readIntLittle(u32) + 1) * 4;
+                const backward_size = (@as(u64, try hashed_reader.readIntLittle(u32)) + 1) * 4;
                 if (backward_size != index_size)
                     return error.CorruptInput;