Skip to content

Commit

Permalink
std.compress.zstandard: fix crashes
Browse files Browse the repository at this point in the history
  • Loading branch information
dweiller committed Feb 3, 2023
1 parent ea82ec2 commit aaf7076
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 19 deletions.
32 changes: 20 additions & 12 deletions lib/std/compress/zstandard/decode/block.zig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,8 +148,8 @@ pub const DecodeState = struct {
}

fn updateRepeatOffset(self: *DecodeState, offset: u32) void {
std.mem.swap(u32, &self.repeat_offsets[0], &self.repeat_offsets[1]);
std.mem.swap(u32, &self.repeat_offsets[0], &self.repeat_offsets[2]);
self.repeat_offsets[2] = self.repeat_offsets[1];
self.repeat_offsets[1] = self.repeat_offsets[0];
self.repeat_offsets[0] = offset;
}

Expand Down Expand Up @@ -238,18 +238,22 @@ pub const DecodeState = struct {
fn nextSequence(
self: *DecodeState,
bit_reader: *readers.ReverseBitReader,
) error{ OffsetCodeTooLarge, EndOfStream }!Sequence {
) error{ InvalidBitStream, EndOfStream }!Sequence {
const raw_code = self.getCode(.offset);
const offset_code = std.math.cast(u5, raw_code) orelse {
return error.OffsetCodeTooLarge;
return error.InvalidBitStream;
};
const offset_value = (@as(u32, 1) << offset_code) + try bit_reader.readBitsNoEof(u32, offset_code);

const match_code = self.getCode(.match);
if (match_code >= types.compressed_block.match_length_code_table.len)
return error.InvalidBitStream;
const match = types.compressed_block.match_length_code_table[match_code];
const match_length = match[0] + try bit_reader.readBitsNoEof(u32, match[1]);

const literal_code = self.getCode(.literal);
if (literal_code >= types.compressed_block.literals_length_code_table.len)
return error.InvalidBitStream;
const literal = types.compressed_block.literals_length_code_table[literal_code];
const literal_length = literal[0] + try bit_reader.readBitsNoEof(u32, literal[1]);

Expand All @@ -269,6 +273,8 @@ pub const DecodeState = struct {
break :offset self.useRepeatOffset(offset_value - 1);
};

if (offset == 0) return error.InvalidBitStream;

return .{
.literal_length = literal_length,
.match_length = match_length,
Expand Down Expand Up @@ -308,7 +314,7 @@ pub const DecodeState = struct {
}

const DecodeSequenceError = error{
OffsetCodeTooLarge,
InvalidBitStream,
EndOfStream,
MalformedSequence,
MalformedFseBits,
Expand All @@ -326,7 +332,7 @@ pub const DecodeState = struct {
/// - `error.UnexpectedEndOfLiteralStream` if the decoder state's literal
/// streams do not contain enough literals for the sequence (this may
/// mean the literal stream or the sequence is malformed).
/// - `error.OffsetCodeTooLarge` if an invalid offset code is found
/// - `error.InvalidBitStream` if the FSE sequence bitstream is malformed
/// - `error.EndOfStream` if `bit_reader` does not contain enough bits
pub fn decodeSequenceSlice(
self: *DecodeState,
Expand Down Expand Up @@ -608,9 +614,9 @@ pub fn decodeBlock(
.compressed => {
if (src.len < block_size) return error.MalformedBlockSize;
var bytes_read: usize = 0;
const literals = decodeLiteralsSectionSlice(src, &bytes_read) catch
const literals = decodeLiteralsSectionSlice(src[0..block_size], &bytes_read) catch
return error.MalformedCompressedBlock;
var fbs = std.io.fixedBufferStream(src[bytes_read..]);
var fbs = std.io.fixedBufferStream(src[bytes_read..block_size]);
const fbs_reader = fbs.reader();
const sequences_header = decodeSequencesHeader(fbs_reader) catch
return error.MalformedCompressedBlock;
Expand Down Expand Up @@ -695,9 +701,9 @@ pub fn decodeBlockRingBuffer(
.compressed => {
if (src.len < block_size) return error.MalformedBlockSize;
var bytes_read: usize = 0;
const literals = decodeLiteralsSectionSlice(src, &bytes_read) catch
const literals = decodeLiteralsSectionSlice(src[0..block_size], &bytes_read) catch
return error.MalformedCompressedBlock;
var fbs = std.io.fixedBufferStream(src[bytes_read..]);
var fbs = std.io.fixedBufferStream(src[bytes_read..block_size]);
const fbs_reader = fbs.reader();
const sequences_header = decodeSequencesHeader(fbs_reader) catch
return error.MalformedCompressedBlock;
Expand Down Expand Up @@ -894,7 +900,8 @@ pub fn decodeLiteralsSectionSlice(
else
null;
const huffman_tree_size = bytes_read - huffman_tree_start;
const total_streams_size = @as(usize, header.compressed_size.?) - huffman_tree_size;
const total_streams_size = std.math.sub(usize, header.compressed_size.?, huffman_tree_size) catch
return error.MalformedLiteralsSection;

if (src.len < bytes_read + total_streams_size) return error.MalformedLiteralsSection;
const stream_data = src[bytes_read .. bytes_read + total_streams_size];
Expand Down Expand Up @@ -941,7 +948,8 @@ pub fn decodeLiteralsSection(
else
null;
const huffman_tree_size = counting_reader.bytes_read;
const total_streams_size = @as(usize, header.compressed_size.?) - @intCast(usize, huffman_tree_size);
const total_streams_size = std.math.sub(usize, header.compressed_size.?, huffman_tree_size) catch
return error.MalformedLiteralsSection;

if (total_streams_size > buffer.len) return error.LiteralsBufferTooSmall;
try source.readNoEof(buffer[0..total_streams_size]);
Expand Down
3 changes: 2 additions & 1 deletion lib/std/compress/zstandard/decode/huffman.zig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,13 +146,14 @@ fn assignSymbols(weight_sorted_prefixed_symbols: []LiteralsSection.HuffmanTree.P
return prefixed_symbol_count;
}

fn buildHuffmanTree(weights: *[256]u4, symbol_count: usize) LiteralsSection.HuffmanTree {
fn buildHuffmanTree(weights: *[256]u4, symbol_count: usize) error{MalformedHuffmanTree}!LiteralsSection.HuffmanTree {
var weight_power_sum: u16 = 0;
for (weights[0 .. symbol_count - 1]) |value| {
if (value > 0) {
weight_power_sum += @as(u16, 1) << (value - 1);
}
}
if (weight_power_sum >= 1 << 11) return error.MalformedHuffmanTree;

// advance to next power of two (even if weight_power_sum is a power of 2)
const max_number_of_bits = std.math.log2_int(u16, weight_power_sum) + 1;
Expand Down
16 changes: 10 additions & 6 deletions lib/std/compress/zstandard/decompress.zig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,7 @@ pub fn decodeZstandardFrame(
);

if (frame_header.descriptor.content_checksum_flag) {
if (src.len < consumed_count + 4) return error.EndOfStream;
const checksum = readIntSlice(u32, src[consumed_count .. consumed_count + 4]);
consumed_count += 4;
if (hasher_opt) |*hasher| {
Expand Down Expand Up @@ -302,17 +303,20 @@ pub fn decodeZstandardFrameAlloc(
&consumed_count,
frame_context.block_size_max,
);
const written_slice = ring_buffer.sliceLast(written_size);
try result.appendSlice(written_slice.first);
try result.appendSlice(written_slice.second);
if (frame_context.hasher_opt) |*hasher| {
hasher.update(written_slice.first);
hasher.update(written_slice.second);
if (written_size > 0) {
const written_slice = ring_buffer.sliceLast(written_size);
try result.appendSlice(written_slice.first);
try result.appendSlice(written_slice.second);
if (frame_context.hasher_opt) |*hasher| {
hasher.update(written_slice.first);
hasher.update(written_slice.second);
}
}
if (block_header.last_block) break;
}

if (frame_context.has_checksum) {
if (src.len < consumed_count + 4) return error.EndOfStream;
const checksum = readIntSlice(u32, src[consumed_count .. consumed_count + 4]);
consumed_count += 4;
if (frame_context.hasher_opt) |*hasher| {
Expand Down

0 comments on commit aaf7076

Please sign in to comment.