Add extra bound checks in C decompressors

2025-01-03 19:30:35 +00:00 · 2019-09-12 16:19:14 +02:00 · 2019-09-12 16:19:14 +02:00 · b1da9c1aee
commit b1da9c1aee
parent b92a003338
2 changed files with 44 additions and 34 deletions
--- a/src/expand_block_v1.c
+++ b/src/expand_block_v1.c
@ -166,7 +166,7 @@ int lzsa_decompressor_expand_block_v1(const unsigned char *pInBlock, int nBlockS
         const unsigned char *pSrc = pCurOutData - nMatchOffset;
         if (pSrc >= pOutData) {
            unsigned int nMatchLen = (unsigned int)(token & 0x0f);
-            if (nMatchLen != MATCH_RUN_LEN_V1 && nMatchOffset >= 8 && pCurOutData < pOutDataFastEnd) {
+            if (nMatchLen != MATCH_RUN_LEN_V1 && nMatchOffset >= 8 && pCurOutData < pOutDataFastEnd && (pSrc + 18) <= pOutDataEnd) {
               memcpy(pCurOutData, pSrc, 8);
               memcpy(pCurOutData + 8, pSrc + 8, 8);
               memcpy(pCurOutData + 16, pSrc + 16, 2);
@ -181,6 +181,7 @@ int lzsa_decompressor_expand_block_v1(const unsigned char *pInBlock, int nBlockS
                     break;
               }

+               if ((pSrc + nMatchLen) <= pOutDataEnd) {
                  if ((pCurOutData + nMatchLen) <= pOutDataEnd) {
                     /* Do a deterministic, left to right byte copy instead of memcpy() so as to handle overlaps */

@ -208,6 +209,10 @@ int lzsa_decompressor_expand_block_v1(const unsigned char *pInBlock, int nBlockS
                     return -1;
                  }
               }
+               else {
+                  return -1;
+               }
+            }
         }
         else {
            return -1;
--- a/src/expand_block_v2.c
+++ b/src/expand_block_v2.c
@ -195,7 +195,7 @@ int lzsa_decompressor_expand_block_v2(const unsigned char *pInBlock, int nBlockS
         const unsigned char *pSrc = pCurOutData - nMatchOffset;
         if (pSrc >= pOutData) {
            unsigned int nMatchLen = (unsigned int)(token & 0x07);
-            if (nMatchLen != MATCH_RUN_LEN_V2 && nMatchOffset >= 8 && pCurOutData < pOutDataFastEnd) {
+            if (nMatchLen != MATCH_RUN_LEN_V2 && nMatchOffset >= 8 && pCurOutData < pOutDataFastEnd && (pSrc + 10) <= pOutDataEnd) {
               memcpy(pCurOutData, pSrc, 8);
               memcpy(pCurOutData + 8, pSrc + 8, 2);
               pCurOutData += (MIN_MATCH_SIZE_V2 + nMatchLen);
@ -209,6 +209,7 @@ int lzsa_decompressor_expand_block_v2(const unsigned char *pInBlock, int nBlockS
                     break;
               }

+               if ((pSrc + nMatchLen) <= pOutDataEnd) {
                  if ((pCurOutData + nMatchLen) <= pOutDataEnd) {
                     /* Do a deterministic, left to right byte copy instead of memcpy() so as to handle overlaps */

@ -236,6 +237,10 @@ int lzsa_decompressor_expand_block_v2(const unsigned char *pInBlock, int nBlockS
                     return -1;
                  }
               }
+               else {
+                  return -1;
+               }
+            }
         }
         else {
            return -1;