From 88f563d84c6ed0001ffe80b2bcc13e3a99ffdc14 Mon Sep 17 00:00:00 2001 From: Emmanuel Marty Date: Tue, 26 Nov 2019 17:35:11 +0100 Subject: [PATCH] Secure last token decompression for non-raw blocks --- src/expand_block_v2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/expand_block_v2.c b/src/expand_block_v2.c index 9e364f3..e024b4c 100644 --- a/src/expand_block_v2.c +++ b/src/expand_block_v2.c @@ -146,7 +146,7 @@ int lzsa_decompressor_expand_block_v2(const unsigned char *pInBlock, int nBlockS } } - if ((pInBlock + 1) < pInBlockEnd) { /* The last token in the block does not include match information */ + if (pInBlock < pInBlockEnd) { /* The last token in the block does not include match information */ unsigned char nOffsetMode = token & 0xc0; unsigned int nValue; @@ -185,6 +185,7 @@ int lzsa_decompressor_expand_block_v2(const unsigned char *pInBlock, int nBlockS if ((token & 0x20) == 0) { /* 16 bit offset */ nMatchOffset = (((unsigned int)(*pInBlock++)) << 8); + if (pInBlock >= pInBlockEnd) return -1; nMatchOffset |= (unsigned int)(*pInBlock++); nMatchOffset ^= 0xffff; nMatchOffset++;