summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Friesel <derf@finalrewind.org>2021-01-20 19:56:03 +0100
committerDaniel Friesel <derf@finalrewind.org>2021-01-20 19:56:03 +0100
commitf2433ec891cd269ce24ee286e46859563cdb20d2 (patch)
treeac85db1acffa8e897acfd5a9a5d52e1ea4363749
parent4d88a39160bc389b3198bc81b280093beea1790e (diff)
add some bounds checks
-rw-r--r--include/lib/udeflate.h3
-rw-r--r--src/lib/udeflate.cc13
2 files changed, 12 insertions, 4 deletions
diff --git a/include/lib/udeflate.h b/include/lib/udeflate.h
index e751374..f3b1ff6 100644
--- a/include/lib/udeflate.h
+++ b/include/lib/udeflate.h
@@ -6,11 +6,12 @@
#include <stdint.h>
-#define UDEFLATE_ERR_LENGTH (-1)
+#define UDEFLATE_ERR_INPUT_LENGTH (-1)
#define UDEFLATE_ERR_METHOD (-2)
#define UDEFLATE_ERR_FDICT (-3)
#define UDEFLATE_ERR_BLOCK (-4)
#define UDEFLATE_ERR_CHECKSUM (-5)
+#define UDEFLATE_ERR_OUTPUT_LENGTH (-6)
int8_t udeflate(unsigned char *input_buf, uint16_t input_len,
unsigned char *output_buf, uint16_t output_len);
diff --git a/src/lib/udeflate.cc b/src/lib/udeflate.cc
index 31c0927..c8f281f 100644
--- a/src/lib/udeflate.cc
+++ b/src/lib/udeflate.cc
@@ -242,6 +242,9 @@ static int8_t udeflate_huffman(uint8_t * ll_lengths, uint16_t ll_size,
kout << "code " << code << endl;
#endif
if (code < 256) {
+ if (udeflate_output_now == udeflate_output_end) {
+ return UDEFLATE_ERR_OUTPUT_LENGTH;
+ }
*udeflate_output_now = code;
udeflate_output_now++;
} else if (code == 256) {
@@ -262,11 +265,17 @@ static int8_t udeflate_huffman(uint8_t * ll_lengths, uint16_t ll_size,
dist_val += udeflate_get_bits(extra_bits);
}
while (len_val--) {
+ if (udeflate_output_now == udeflate_output_end) {
+ return UDEFLATE_ERR_OUTPUT_LENGTH;
+ }
udeflate_output_now[0] =
udeflate_output_now[-dist_val];
udeflate_output_now++;
}
}
+ if (udeflate_input_now >= udeflate_input_end - 4) {
+ return UDEFLATE_ERR_INPUT_LENGTH;
+ }
}
}
@@ -362,8 +371,6 @@ static int8_t udeflate_dynamic_huffman()
return udeflate_huffman(udeflate_lld_lengths, hlit,
udeflate_lld_lengths + hlit, hdist);
-
- return 0;
}
int8_t udeflate(unsigned char *input_buf, uint16_t input_len,
@@ -396,7 +403,7 @@ int8_t udeflate_zlib(unsigned char *input_buf, uint16_t input_len,
unsigned char *output_buf, uint16_t output_len)
{
if (input_len < 4) {
- return UDEFLATE_ERR_LENGTH;
+ return UDEFLATE_ERR_INPUT_LENGTH;
}
uint8_t zlib_method = input_buf[0] & 0x0f;
uint16_t zlib_window_size = 1 << (8 + ((input_buf[0] & 0xf0) >> 4));