Skip to content

Commit

Permalink
zstd: Fix ineffective block size check (#771)
Browse files Browse the repository at this point in the history 
When falling back to Go decoding block sizes were not checked correctly.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56755
  • Loading branch information
@klauspost
klauspost committed Mar 8, 2023
1 parent 0f734cf commit 3588812
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 21 deletions.
24 changes: 9 additions & 15 deletions zstd/fuzz_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,17 +62,6 @@ func FuzzDecAllNoBMI2(f *testing.F) {
func FuzzDecoder(f *testing.F) {
fuzz.AddFromZip(f, "testdata/fuzz/decode-corpus-raw.zip", true, testing.Short())
fuzz.AddFromZip(f, "testdata/fuzz/decode-corpus-encoded.zip", false, testing.Short())
decLow, err := NewReader(nil, WithDecoderLowmem(true), WithDecoderConcurrency(2), WithDecoderMaxMemory(20<<20), WithDecoderMaxWindow(1<<20), IgnoreChecksum(true), WithDecodeBuffersBelow(8<<10))
if err != nil {
f.Fatal(err)
}
defer decLow.Close()
// Test with high memory, but sync decoding
decHi, err := NewReader(nil, WithDecoderLowmem(false), WithDecoderConcurrency(1), WithDecoderMaxMemory(20<<20), WithDecoderMaxWindow(1<<20), IgnoreChecksum(true), WithDecodeBuffersBelow(8<<10))
if err != nil {
f.Fatal(err)
}
defer decHi.Close()

brLow := newBytesReader(nil)
brHi := newBytesReader(nil)
Expand All @@ -86,14 +75,19 @@ func FuzzDecoder(f *testing.F) {
}()
brLow.Reset(b)
brHi.Reset(b)
err := decLow.Reset(brLow)
decLow, err := NewReader(brLow, WithDecoderLowmem(true), WithDecoderConcurrency(2), WithDecoderMaxMemory(20<<20), WithDecoderMaxWindow(1<<20), IgnoreChecksum(true), WithDecodeBuffersBelow(8<<10))
if err != nil {
t.Fatal(err)
f.Fatal(err)
}
err = decHi.Reset(brHi)
defer decLow.Close()

// Test with high memory, but sync decoding
decHi, err := NewReader(brHi, WithDecoderLowmem(false), WithDecoderConcurrency(1), WithDecoderMaxMemory(20<<20), WithDecoderMaxWindow(1<<20), IgnoreChecksum(true), WithDecodeBuffersBelow(8<<10))
if err != nil {
t.Fatal(err)
f.Fatal(err)
}
defer decHi.Close()

b1, err1 := io.ReadAll(decLow)
b2, err2 := io.ReadAll(decHi)
if err1 != err2 {
Expand Down
6 changes: 1 addition & 5 deletions zstd/seqdec.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,9 +314,6 @@ func (s *sequenceDecs) decodeSync(hist []byte) error {
}
size := ll + ml + len(out)
if size-startSize > maxBlockSize {
if size-startSize == 424242 {
panic("here")
}
return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
}
if size > cap(out) {
Expand Down Expand Up @@ -427,8 +424,7 @@ func (s *sequenceDecs) decodeSync(hist []byte) error {
}
}

// Check if space for literals
if size := len(s.literals) + len(s.out) - startSize; size > maxBlockSize {
if size := len(s.literals) + len(out) - startSize; size > maxBlockSize {
return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)
}

Expand Down
1 change: 0 additions & 1 deletion zstd/seqdec_amd64.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,6 @@ func (s *sequenceDecs) decodeSyncSimple(hist []byte) (bool, error) {
s.seqSize += ctx.litRemain
if s.seqSize > maxBlockSize {
return true, fmt.Errorf("output bigger than max block size (%d)", maxBlockSize)

}
err := br.close()
if err != nil {
Expand Down
Binary file modified zstd/testdata/fuzz/decode-corpus-encoded.zip
View file
Binary file not shown.

0 comments on commit 3588812

Please sign in to comment.