languages/go
languages/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-10-02 22:25:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

internal/zstd: avoid panic when windowSize is negative

Browse source 
This change fixes an edge case in the zstd decompressor where
an int conversion could result in a negative window size.

Fixes #63979
For #62513

Change-Id: Ie714bf8fb51fa509b310deb8bd2c96bd87b52852
GitHub-Last-Rev: ab0be65782
GitHub-Pull-Request: golang/go#63980
Reviewed-on: https://go-review.googlesource.com/c/go/+/540415
Reviewed-by: Cherry Mui <cherryyz@google.com>
Run-TryBot: M Zhuo <mengzhuo1203@gmail.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: M Zhuo <mengzhuo1203@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
aimuz 2023-11-18 04:16:04 +00:00 committed by M Zhuo
parent 4afb155cdf
commit 923ab13f9b
2 changed files with 8 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/internal/zstd/fuzz_test.go
View file

@ -25,6 +25,7 @@ var badStrings = []string{
"(\xb5/\xfd00\xec\x00\x00&@\x05\x05A7002\x02\x00\x02\x00\x02\x0000000000000000",
"(\xb5/\xfd00\xec\x00\x00V@\x05\x0517002\x02\x00\x02\x00\x02\x0000000000000000",
"\x50\x2a\x4d\x18\x02\x00\x00\x00",
"(\xb5/\xfd\xe40000000\xfa20\x000",
}
// This is a simple fuzzer to see if the decompressor panics.

13
src/internal/zstd/zstd.go
View file

@ -237,7 +237,7 @@ retry:
// Figure out the maximum amount of data we need to retain
// for backreferences.
var windowSize int
var windowSize uint64
if !singleSegment {
// Window descriptor. RFC 3.1.1.1.2.
windowDescriptor := r.scratch[0]
@ -246,7 +246,7 @@ retry:
windowLog := exponent + 10
windowBase := uint64(1) << windowLog
windowAdd := (windowBase / 8) * mantissa
windowSize = int(windowBase + windowAdd)
windowSize = windowBase + windowAdd
// Default zstd sets limits on the window size.
if fuzzing && (windowLog > 31 || windowSize > 1<<27) {
@ -288,12 +288,13 @@ retry:
// When Single_Segment_Flag is set, Window_Descriptor is not present.
// In this case, Window_Size is Frame_Content_Size.
if singleSegment {
windowSize = int(r.remainingFrameSize)
windowSize = r.remainingFrameSize
}
// RFC 8878 3.1.1.1.1.2. permits us to set an 8M max on window size.
if windowSize > 8<<20 {
windowSize = 8 << 20
const maxWindowSize = 8 << 20
if windowSize > maxWindowSize {
windowSize = maxWindowSize
}
relativeOffset += headerSize
@ -307,7 +308,7 @@ retry:
r.repeatedOffset2 = 4
r.repeatedOffset3 = 8
r.huffmanTableBits = 0
r.window.reset(windowSize)
r.window.reset(int(windowSize))
r.seqTables[0] = nil
r.seqTables[1] = nil
r.seqTables[2] = nil