system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-07-21 10:05:32 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

LibCompress: Avoid buffer overrun when building canonical Huffman code

Browse source 
Previously, decompressing a DEFLATE stream an invalid canonical
Huffman code could cause a buffer overrun. We now return an error in
this case.
This commit is contained in:
Tim Ledbetter 2023-10-09 17:54:49 +01:00 committed by Tim Schumacher
parent bc6638682d
commit 2f26a7bb12
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
Tests/LibCompress/TestDeflate.cpp
View file

@ -55,6 +55,13 @@ TEST_CASE(canonical_code_complex)
EXPECT_EQ(MUST(huffman.read_symbol(bit_stream)), output[idx]);
}
TEST_CASE(invalid_canonical_code)
{
Array<u8, 257> code;
code.fill(0x08);
EXPECT(Compress::CanonicalCode::from_bytes(code).is_error());
}
TEST_CASE(deflate_decompress_compressed_block)
{
Array<u8, 28> const compressed {

3
Userland/Libraries/LibCompress/Deflate.cpp
View file

@ -100,6 +100,9 @@ ErrorOr<CanonicalCode> CanonicalCode::from_bytes(ReadonlyBytes bytes)
return Error::from_string_literal("Failed to decode code lengths");
if (code_length <= CanonicalCode::max_allowed_prefixed_code_length) {
if (number_of_prefix_codes >= prefix_codes.size())
return Error::from_string_literal("Invalid canonical Huffman code");
auto& prefix_code = prefix_codes[number_of_prefix_codes++];
prefix_code.symbol_code = next_code;
prefix_code.symbol_value = symbol;