mirror of
https://github.com/golang/go
synced 2024-09-15 22:20:06 +00:00
compress/flate: fix panic when nlit is out of bounds.
Fixes #3815. R=r CC=golang-dev https://golang.org/cl/6352109
This commit is contained in:
parent
e726197858
commit
da4eef402d
|
@ -16,9 +16,10 @@ import (
|
|||
const (
|
||||
maxCodeLen = 16 // max length of Huffman code
|
||||
maxHist = 32768 // max history required
|
||||
maxLit = 286
|
||||
maxDist = 32
|
||||
numCodes = 19 // number of codes in Huffman meta-code
|
||||
// The next three numbers come from the RFC, section 3.2.7.
|
||||
maxLit = 286
|
||||
maxDist = 32
|
||||
numCodes = 19 // number of codes in Huffman meta-code
|
||||
)
|
||||
|
||||
// A CorruptInputError reports the presence of corrupt input at a given offset.
|
||||
|
@ -306,10 +307,15 @@ func (f *decompressor) readHuffman() error {
|
|||
}
|
||||
}
|
||||
nlit := int(f.b&0x1F) + 257
|
||||
if nlit > maxLit {
|
||||
return CorruptInputError(f.roffset)
|
||||
}
|
||||
f.b >>= 5
|
||||
ndist := int(f.b&0x1F) + 1
|
||||
// maxDist is 32, so ndist is always valid.
|
||||
f.b >>= 5
|
||||
nclen := int(f.b&0xF) + 4
|
||||
// numCodes is 19, so nclen is always valid.
|
||||
f.b >>= 4
|
||||
f.nb -= 5 + 5 + 4
|
||||
|
||||
|
|
|
@ -9,9 +9,19 @@ import (
|
|||
"io"
|
||||
"io/ioutil"
|
||||
"runtime"
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestNlitOutOfRange(t *testing.T) {
|
||||
// Trying to decode this bogus flate data, which has a Huffman table
|
||||
// with nlit=288, should not panic.
|
||||
io.Copy(ioutil.Discard, NewReader(strings.NewReader(
|
||||
"\xfc\xfe\x36\xe7\x5e\x1c\xef\xb3\x55\x58\x77\xb6\x56\xb5\x43\xf4"+
|
||||
"\x6f\xf2\xd2\xe6\x3d\x99\xa0\x85\x8c\x48\xeb\xf8\xda\x83\x04\x2a"+
|
||||
"\x75\xc4\xf8\x0f\x12\x11\xb9\xb4\x4b\x09\xa0\xbe\x8b\x91\x4c")))
|
||||
}
|
||||
|
||||
const (
|
||||
digits = iota
|
||||
twain
|
||||
|
|
Loading…
Reference in a new issue