From f8584eefd20e7e18483f5695f17e574381863004 Mon Sep 17 00:00:00 2001
From: Sebastian Melzer <semz@semelz.de>
Date: Fri, 7 Apr 2023 08:23:54 +0200
Subject: [PATCH] Prevent out of bounds accesses in decode-code-length-entries

---
 deflate.lisp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/deflate.lisp b/deflate.lisp
index aea6492..a2f4376 100644
--- a/deflate.lisp
+++ b/deflate.lisp
@@ -445,17 +445,29 @@ lengths for further processing."
            (setf (aref result index) code)
            (incf index))
         (16
+           (when (= index 0)
+             (error 'deflate-decompression-error
+                    :format-control "Length entries start with a repetition!"))
            (let ((length (+ 3 (bit-stream-read-bits bit-stream 2))))
+             (unless (<= (+ index length) count)
+               (error 'deflate-decompression-error
+                      :format-control "Length entries expand out of bounds."))
              (dotimes (i length)
                (setf (aref result (+ index i)) (aref result (1- index))))
              (incf index length)))
         (17
            (let ((length (+ 3 (bit-stream-read-bits bit-stream 3))))
+             (unless (<= (+ index length) count)
+               (error 'deflate-decompression-error
+                      :format-control "Length entries expand out of bounds."))
              (dotimes (i length)
                (setf (aref result (+ index i)) 0))
              (incf index length)))
         (18
            (let ((length (+ 11 (bit-stream-read-bits bit-stream 7))))
+             (unless (<= (+ index length) count)
+               (error 'deflate-decompression-error
+                      :format-control "Length entries expand out of bounds."))
              (dotimes (i length)
                (setf (aref result (+ index i)) 0))
              (incf index length)))))))