OSCL/Deflate
2
0
Fork 0
mirror of https://github.com/pmai/Deflate.git synced 2025-12-22 05:24:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Prevent out of bounds accesses in decode-code-length-entries

Browse Source
This commit is contained in:
Sebastian Melzer
2023-04-07 08:23:54 +02:00
committed by Pierre R. Mai
parent fd164c918a
commit f8584eefd2
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
deflate.lisp
View File

@ -445,17 +445,29 @@ lengths for further processing."
(setf (aref result index) code) (setf (aref result index) code)
(incf index)) (incf index))
(16 (16
(when (= index 0)
(error 'deflate-decompression-error
:format-control "Length entries start with a repetition!"))
(let ((length (+ 3 (bit-stream-read-bits bit-stream 2)))) (let ((length (+ 3 (bit-stream-read-bits bit-stream 2))))
(unless (<= (+ index length) count)
(error 'deflate-decompression-error
:format-control "Length entries expand out of bounds."))
(dotimes (i length) (dotimes (i length)
(setf (aref result (+ index i)) (aref result (1- index)))) (setf (aref result (+ index i)) (aref result (1- index))))
(incf index length))) (incf index length)))
(17 (17
(let ((length (+ 3 (bit-stream-read-bits bit-stream 3)))) (let ((length (+ 3 (bit-stream-read-bits bit-stream 3))))
(unless (<= (+ index length) count)
(error 'deflate-decompression-error
:format-control "Length entries expand out of bounds."))
(dotimes (i length) (dotimes (i length)
(setf (aref result (+ index i)) 0)) (setf (aref result (+ index i)) 0))
(incf index length))) (incf index length)))
(18 (18
(let ((length (+ 11 (bit-stream-read-bits bit-stream 7)))) (let ((length (+ 11 (bit-stream-read-bits bit-stream 7))))
(unless (<= (+ index length) count)
(error 'deflate-decompression-error
:format-control "Length entries expand out of bounds."))
(dotimes (i length) (dotimes (i length)
(setf (aref result (+ index i)) 0)) (setf (aref result (+ index i)) 0))
(incf index length))))))) (incf index length)))))))