From f2433ec891cd269ce24ee286e46859563cdb20d2 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Wed, 20 Jan 2021 19:56:03 +0100 Subject: add some bounds checks --- include/lib/udeflate.h | 3 ++- src/lib/udeflate.cc | 13 ++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/include/lib/udeflate.h b/include/lib/udeflate.h index e751374..f3b1ff6 100644 --- a/include/lib/udeflate.h +++ b/include/lib/udeflate.h @@ -6,11 +6,12 @@ #include -#define UDEFLATE_ERR_LENGTH (-1) +#define UDEFLATE_ERR_INPUT_LENGTH (-1) #define UDEFLATE_ERR_METHOD (-2) #define UDEFLATE_ERR_FDICT (-3) #define UDEFLATE_ERR_BLOCK (-4) #define UDEFLATE_ERR_CHECKSUM (-5) +#define UDEFLATE_ERR_OUTPUT_LENGTH (-6) int8_t udeflate(unsigned char *input_buf, uint16_t input_len, unsigned char *output_buf, uint16_t output_len); diff --git a/src/lib/udeflate.cc b/src/lib/udeflate.cc index 31c0927..c8f281f 100644 --- a/src/lib/udeflate.cc +++ b/src/lib/udeflate.cc @@ -242,6 +242,9 @@ static int8_t udeflate_huffman(uint8_t * ll_lengths, uint16_t ll_size, kout << "code " << code << endl; #endif if (code < 256) { + if (udeflate_output_now == udeflate_output_end) { + return UDEFLATE_ERR_OUTPUT_LENGTH; + } *udeflate_output_now = code; udeflate_output_now++; } else if (code == 256) { @@ -262,11 +265,17 @@ static int8_t udeflate_huffman(uint8_t * ll_lengths, uint16_t ll_size, dist_val += udeflate_get_bits(extra_bits); } while (len_val--) { + if (udeflate_output_now == udeflate_output_end) { + return UDEFLATE_ERR_OUTPUT_LENGTH; + } udeflate_output_now[0] = udeflate_output_now[-dist_val]; udeflate_output_now++; } } + if (udeflate_input_now >= udeflate_input_end - 4) { + return UDEFLATE_ERR_INPUT_LENGTH; + } } } @@ -362,8 +371,6 @@ static int8_t udeflate_dynamic_huffman() return udeflate_huffman(udeflate_lld_lengths, hlit, udeflate_lld_lengths + hlit, hdist); - - return 0; } int8_t udeflate(unsigned char *input_buf, uint16_t input_len, @@ -396,7 +403,7 @@ int8_t udeflate_zlib(unsigned char *input_buf, uint16_t input_len, unsigned char *output_buf, uint16_t output_len) { if (input_len < 4) { - return UDEFLATE_ERR_LENGTH; + return UDEFLATE_ERR_INPUT_LENGTH; } uint8_t zlib_method = input_buf[0] & 0x0f; uint16_t zlib_window_size = 1 << (8 + ((input_buf[0] & 0xf0) >> 4)); -- cgit v1.2.3