lzx_decompress.c: add missing validation in RLE length decoding

[wimlib] / src / lzx_decompress.c

diff --git a/src/lzx_decompress.c b/src/lzx_decompress.c
index 67fbea940f0f5ca3b00d5b921445d1048a1a6772..fe5bdbad02240a1f1ec21e3516fd9424f34bec5d 100644 (file)
--- a/src/lzx_decompress.c
+++ b/src/lzx_decompress.c
@@ -54,14 +54,14 @@
 #  include "config.h"
 #endif
 
+#include <string.h>
+
 #include "wimlib/decompressor_ops.h"
 #include "wimlib/decompress_common.h"
 #include "wimlib/error.h"
 #include "wimlib/lzx_common.h"
 #include "wimlib/util.h"
 
-#include <string.h>
-
 /* These values are chosen for fast decompression.  */
 #define LZX_MAINCODE_TABLEBITS         11
 #define LZX_LENCODE_TABLEBITS          10
@@ -228,6 +228,8 @@ lzx_read_codeword_lens(struct input_bitstream *istream, u8 *lens, unsigned num_l
                                run_len = 4 + bitstream_read_bits(istream, 1);
                                presym = read_huffsym_using_precode(istream,
                                                                    precode_decode_table);
+                               if (unlikely(presym > 17))
+                                       return -1;
                                len = *len_ptr - presym;
                                if ((s8)len < 0)
                                        len += 17;