From 2f26a7bb128a144f1944f1f27c77ebc4baa9bc8a Mon Sep 17 00:00:00 2001 From: Tim Ledbetter Date: Mon, 9 Oct 2023 17:54:49 +0100 Subject: [PATCH] LibCompress: Avoid buffer overrun when building canonical Huffman code Previously, decompressing a DEFLATE stream an invalid canonical Huffman code could cause a buffer overrun. We now return an error in this case. --- Tests/LibCompress/TestDeflate.cpp | 7 +++++++ Userland/Libraries/LibCompress/Deflate.cpp | 3 +++ 2 files changed, 10 insertions(+) diff --git a/Tests/LibCompress/TestDeflate.cpp b/Tests/LibCompress/TestDeflate.cpp index f081fb1cb8b..da53aefef29 100644 --- a/Tests/LibCompress/TestDeflate.cpp +++ b/Tests/LibCompress/TestDeflate.cpp @@ -55,6 +55,13 @@ TEST_CASE(canonical_code_complex) EXPECT_EQ(MUST(huffman.read_symbol(bit_stream)), output[idx]); } +TEST_CASE(invalid_canonical_code) +{ + Array code; + code.fill(0x08); + EXPECT(Compress::CanonicalCode::from_bytes(code).is_error()); +} + TEST_CASE(deflate_decompress_compressed_block) { Array const compressed { diff --git a/Userland/Libraries/LibCompress/Deflate.cpp b/Userland/Libraries/LibCompress/Deflate.cpp index 66605a79ef3..18216fb124c 100644 --- a/Userland/Libraries/LibCompress/Deflate.cpp +++ b/Userland/Libraries/LibCompress/Deflate.cpp @@ -100,6 +100,9 @@ ErrorOr CanonicalCode::from_bytes(ReadonlyBytes bytes) return Error::from_string_literal("Failed to decode code lengths"); if (code_length <= CanonicalCode::max_allowed_prefixed_code_length) { + if (number_of_prefix_codes >= prefix_codes.size()) + return Error::from_string_literal("Invalid canonical Huffman code"); + auto& prefix_code = prefix_codes[number_of_prefix_codes++]; prefix_code.symbol_code = next_code; prefix_code.symbol_value = symbol;