mirror of
https://github.com/golang/go
synced 2024-10-02 22:25:08 +00:00
internal/zstd: avoid panic when windowSize is negative
This change fixes an edge case in the zstd decompressor where
an int conversion could result in a negative window size.
Fixes #63979
For #62513
Change-Id: Ie714bf8fb51fa509b310deb8bd2c96bd87b52852
GitHub-Last-Rev: ab0be65782
GitHub-Pull-Request: golang/go#63980
Reviewed-on: https://go-review.googlesource.com/c/go/+/540415
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: M Zhuo <mengzhuo1203@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: M Zhuo <mengzhuo1203@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
parent
4afb155cdf
commit
923ab13f9b
|
@ -25,6 +25,7 @@ var badStrings = []string{
|
|||
"(\xb5/\xfd00\xec\x00\x00&@\x05\x05A7002\x02\x00\x02\x00\x02\x0000000000000000",
|
||||
"(\xb5/\xfd00\xec\x00\x00V@\x05\x0517002\x02\x00\x02\x00\x02\x0000000000000000",
|
||||
"\x50\x2a\x4d\x18\x02\x00\x00\x00",
|
||||
"(\xb5/\xfd\xe40000000\xfa20\x000",
|
||||
}
|
||||
|
||||
// This is a simple fuzzer to see if the decompressor panics.
|
||||
|
|
|
@ -237,7 +237,7 @@ retry:
|
|||
|
||||
// Figure out the maximum amount of data we need to retain
|
||||
// for backreferences.
|
||||
var windowSize int
|
||||
var windowSize uint64
|
||||
if !singleSegment {
|
||||
// Window descriptor. RFC 3.1.1.1.2.
|
||||
windowDescriptor := r.scratch[0]
|
||||
|
@ -246,7 +246,7 @@ retry:
|
|||
windowLog := exponent + 10
|
||||
windowBase := uint64(1) << windowLog
|
||||
windowAdd := (windowBase / 8) * mantissa
|
||||
windowSize = int(windowBase + windowAdd)
|
||||
windowSize = windowBase + windowAdd
|
||||
|
||||
// Default zstd sets limits on the window size.
|
||||
if fuzzing && (windowLog > 31 || windowSize > 1<<27) {
|
||||
|
@ -288,12 +288,13 @@ retry:
|
|||
// When Single_Segment_Flag is set, Window_Descriptor is not present.
|
||||
// In this case, Window_Size is Frame_Content_Size.
|
||||
if singleSegment {
|
||||
windowSize = int(r.remainingFrameSize)
|
||||
windowSize = r.remainingFrameSize
|
||||
}
|
||||
|
||||
// RFC 8878 3.1.1.1.1.2. permits us to set an 8M max on window size.
|
||||
if windowSize > 8<<20 {
|
||||
windowSize = 8 << 20
|
||||
const maxWindowSize = 8 << 20
|
||||
if windowSize > maxWindowSize {
|
||||
windowSize = maxWindowSize
|
||||
}
|
||||
|
||||
relativeOffset += headerSize
|
||||
|
@ -307,7 +308,7 @@ retry:
|
|||
r.repeatedOffset2 = 4
|
||||
r.repeatedOffset3 = 8
|
||||
r.huffmanTableBits = 0
|
||||
r.window.reset(windowSize)
|
||||
r.window.reset(int(windowSize))
|
||||
r.seqTables[0] = nil
|
||||
r.seqTables[1] = nil
|
||||
r.seqTables[2] = nil
|
||||
|
|
Loading…
Reference in a new issue