zstd: Fix crash on amd64 (no BMI) + Go fuzz test

[klauspost]

Port zstd fuzz tests to Go 1.18 fuzz tests.

(May need time extension on Go 1.18 CI)

[klauspost]

2022-07-17T10:45:40.7398600Z unexpected fault address 0xb01dfacedebac1e
2022-07-17T10:45:40.7399010Z fatal error: fault
2022-07-17T10:45:40.7399390Z [signal SIGSEGV: segmentation violation code=0x1 addr=0xb01dfacedebac1e pc=0x120bfa5]
2022-07-17T10:45:40.7399630Z 
2022-07-17T10:45:40.7399790Z goroutine 669531 [running]:
2022-07-17T10:45:40.7400050Z runtime.throw({0x1272ed5?, 0xc0000d90e0?})
2022-07-17T10:45:40.7402570Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/panic.go:992 +0x71 fp=0xc0000d8fd0 sp=0xc0000d8fa0 pc=0x10341d1
2022-07-17T10:45:40.7402950Z runtime.sigpanic()
2022-07-17T10:45:40.7403430Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/signal_unix.go:825 +0x305 fp=0xc0000d9020 sp=0xc0000d8fd0 pc=0x104a665
2022-07-17T10:45:40.7403930Z github.com/klauspost/compress/zstd.sequenceDecs_decodeSync_safe_amd64(0xc000910298, 0xc00083a7b0, 0xc0000d90f8)
2022-07-17T10:45:40.7404430Z 	/Users/runner/work/compress/compress/zstd/seqdec_amd64.s:3008 +0x2c5 fp=0xc0000d9070 sp=0xc0000d9020 pc=0x120bfa5
2022-07-17T10:45:40.7404910Z github.com/klauspost/compress/zstd.(*sequenceDecs).decodeSyncSimple(0xc000910298, {0xc00649a326?, 0x0, 0x11cbc78?})
2022-07-17T10:45:40.7405380Z 	/Users/runner/work/compress/compress/zstd/seqdec_amd64.go:110 +0x29d fp=0xc0000d91f0 sp=0xc0000d9070 pc=0x11ce89d
2022-07-17T10:45:40.7406280Z github.com/klauspost/compress/zstd.(*sequenceDecs).decodeSync(0xc000910298, {0xc00649a326, 0x0, 0x10})
2022-07-17T10:45:40.7406810Z 	/Users/runner/work/compress/compress/zstd/seqdec.go:207 +0x4e fp=0xc0000d9358 sp=0xc0000d91f0 pc=0x11ccd4e
2022-07-17T10:45:40.7407270Z github.com/klauspost/compress/zstd.(*blockDec).decodeCompressed(0xc0005ce000, 0xc000910290)
2022-07-17T10:45:40.7407840Z 	/Users/runner/work/compress/compress/zstd/blockdec.go:491 +0x19a fp=0xc0000d93b0 sp=0xc0000d9358 pc=0x11a815a
2022-07-17T10:45:40.7408290Z github.com/klauspost/compress/zstd.(*blockDec).decodeBuf(0xc0005ce000, 0xc000910290)
2022-07-17T10:45:40.7409700Z 	/Users/runner/work/compress/compress/zstd/blockdec.go:258 +0x2e5 fp=0xc0000d9468 sp=0xc0000d93b0 pc=0x11a6d45
2022-07-17T10:45:40.7410420Z github.com/klauspost/compress/zstd.(*frameDec).runDecoder(0xc000910240, {0xc00649a000?, 0x326, 0xc0000961c0?}, 0xc0005ce000)
2022-07-17T10:45:40.7410950Z 	/Users/runner/work/compress/compress/zstd/framedec.go:377 +0x193 fp=0xc0000d94d8 sp=0xc0000d9468 pc=0x11c7153
2022-07-17T10:45:40.7412160Z github.com/klauspost/compress/zstd.(*Decoder).DecodeAll(0xc0005ca000, {0xc008192e10, 0xe6, 0xf0}, {0x0, 0x0, 0x0})
2022-07-17T10:45:40.7412680Z 	/Users/runner/work/compress/compress/zstd/decoder.go:381 +0x64a fp=0xc0000d96a0 sp=0xc0000d94d8 pc=0x11af46a
2022-07-17T10:45:40.7413280Z github.com/klauspost/compress/zstd.FuzzDecodeAll.func1(0xc000122000, {0xc008192e10, 0xe6, 0xf0})
2022-07-17T10:45:40.7414120Z 	/Users/runner/work/compress/compress/zstd/fuzz_test.go:44 +0xac fp=0xc0000d9770 sp=0xc0000d96a0 pc=0x11fba8c
2022-07-17T10:45:40.7414680Z runtime.call32(0xc00009cf90, 0xc0001647b0, 0x0, 0x0, 0x0, 0x20, 0xc0000d9cb0)
2022-07-17T10:45:40.7419040Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/asm_amd64.s:702 +0x49 fp=0xc0000d97a0 sp=0xc0000d9770 pc=0x1064969
2022-07-17T10:45:40.7419530Z runtime.reflectcall(0x122b380?, 0xc00855ed08?, 0x4?, 0x127686b?, 0x0?, 0x12?, 0x122b380?)
2022-07-17T10:45:40.7420090Z 	<autogenerated>:1 +0x3c fp=0xc0000d97e0 sp=0xc0000d97a0 pc=0x1068a7c
2022-07-17T10:45:40.7420530Z reflect.Value.call({0x1230540?, 0xc0001647b0?, 0x13?}, {0x1272c3e, 0x4}, {0xc00009c450, 0x2, 0x2?})
2022-07-17T10:45:40.7421040Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/reflect/value.go:556 +0x845 fp=0xc0000d9dd0 sp=0xc0000d97e0 pc=0x10aa9e5
2022-07-17T10:45:40.7421430Z reflect.Value.Call({0x1230540?, 0xc0001647b0?, 0x514?}, {0xc00009c450, 0x2, 0x2})
2022-07-17T10:45:40.7421930Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/reflect/value.go:339 +0xbf fp=0xc0000d9e48 sp=0xc0000d9dd0 pc=0x10aa0df
2022-07-17T10:45:40.7422480Z testing.(*F).Fuzz.func1.1(0xc00038e340?)
2022-07-17T10:45:40.7422950Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/fuzz.go:337 +0x231 fp=0xc0000d9f70 sp=0xc0000d9e48 pc=0x10db951
2022-07-17T10:45:40.7423290Z testing.tRunner(0xc000122000, 0xc000118c60)
2022-07-17T10:45:40.7423760Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/testing.go:1439 +0x102 fp=0xc0000d9fc0 sp=0xc0000d9f70 pc=0x10e4382
2022-07-17T10:45:40.7424270Z testing.(*F).Fuzz.func1.2()
2022-07-17T10:45:40.7424740Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/fuzz.go:324 +0x2a fp=0xc0000d9fe0 sp=0xc0000d9fc0 pc=0x10db6ea
2022-07-17T10:45:40.7425070Z runtime.goexit()
2022-07-17T10:45:40.7425500Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/runtime/asm_amd64.s:1571 +0x1 fp=0xc0000d9fe8 sp=0xc0000d9fe0 pc=0x1066481
2022-07-17T10:45:40.7425880Z created by testing.(*F).Fuzz.func1
2022-07-17T10:45:40.7426360Z 	/Users/runner/hostedtoolcache/go/1.18.3/x64/src/testing/fuzz.go:324 +0x5b8

[klauspost]

@WojciechMula It seems this problem can be reliably triggered by disabling BMI

It seems like it is possible to get to Label(name + "_offset_nonzero") with an offset value > 3.

It could either be triggered by an invalid table or incorrect decoding.

[klauspost]

updateLength appears to be the problem.

[klauspost]

updateLength would output junk values if bitsRead > 64. adjustOffsetInMemory could then see offsetB <= 1, but offset being >3. This would cause Mem{Base: prevOffset, Index: CX, Scale: 8} to crash since CX was too big.

This would happen on corrupted input.