From e490be895cda9d1d6f707eaa86f8a72995960053 Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Mon, 13 Jan 2025 16:39:34 -0500 Subject: [PATCH 1/2] fix out-of-bounds array index access --- lib/compress/zstd_compress.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/compress/zstd_compress.c b/lib/compress/zstd_compress.c index 04b6bb9f11..ef1817f521 100644 --- a/lib/compress/zstd_compress.c +++ b/lib/compress/zstd_compress.c @@ -6713,7 +6713,7 @@ ZSTD_transferSequences_wBlockDelim(ZSTD_CCtx* cctx, ZSTD_memcpy(cctx->blockState.nextCBlock->rep, updatedRepcodes.rep, sizeof(Repcodes_t)); - if (inSeqs[idx].litLength) { + if (idx < inSeqsSize && inSeqs[idx].litLength) { DEBUGLOG(6, "Storing last literals of size: %u", inSeqs[idx].litLength); ZSTD_storeLastLiterals(&cctx->seqStore, ip, inSeqs[idx].litLength); ip += inSeqs[idx].litLength; From afff3d2cce1ad2e81b16459de5b572131949c44f Mon Sep 17 00:00:00 2001 From: Mingjie Shen Date: Mon, 13 Jan 2025 20:52:06 -0500 Subject: [PATCH 2/2] return error if block delimiter is not found --- lib/compress/zstd_compress.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/compress/zstd_compress.c b/lib/compress/zstd_compress.c index ef1817f521..e033a04ccc 100644 --- a/lib/compress/zstd_compress.c +++ b/lib/compress/zstd_compress.c @@ -6687,6 +6687,7 @@ ZSTD_transferSequences_wBlockDelim(ZSTD_CCtx* cctx, ZSTD_storeSeq(&cctx->seqStore, litLength, ip, iend, offBase, matchLength); ip += matchLength + litLength; } + RETURN_ERROR_IF(idx == inSeqsSize, externalSequences_invalid, "Block delimiter not found."); /* If we skipped repcode search while parsing, we need to update repcodes now */ assert(externalRepSearch != ZSTD_ps_auto); @@ -6713,7 +6714,7 @@ ZSTD_transferSequences_wBlockDelim(ZSTD_CCtx* cctx, ZSTD_memcpy(cctx->blockState.nextCBlock->rep, updatedRepcodes.rep, sizeof(Repcodes_t)); - if (idx < inSeqsSize && inSeqs[idx].litLength) { + if (inSeqs[idx].litLength) { DEBUGLOG(6, "Storing last literals of size: %u", inSeqs[idx].litLength); ZSTD_storeLastLiterals(&cctx->seqStore, ip, inSeqs[idx].litLength); ip += inSeqs[idx].litLength;