lzx_decompress.c: add missing validation in RLE length decoding
authorEric Biggers <ebiggers3@gmail.com>
Fri, 27 Mar 2015 05:16:58 +0000 (00:16 -0500)
committerEric Biggers <ebiggers3@gmail.com>
Fri, 27 Mar 2015 05:34:16 +0000 (00:34 -0500)
Bad input found by afl-fuzz:

1f 20 00 42 00 00 33 03 45 43 45 00 20 00 00 0e

src/lzx_decompress.c

index dba27665eb278b1361a60f56998fb41ead8a1d45..fe5bdbad02240a1f1ec21e3516fd9424f34bec5d 100644 (file)
@@ -228,6 +228,8 @@ lzx_read_codeword_lens(struct input_bitstream *istream, u8 *lens, unsigned num_l
                                run_len = 4 + bitstream_read_bits(istream, 1);
                                presym = read_huffsym_using_precode(istream,
                                                                    precode_decode_table);
+                               if (unlikely(presym > 17))
+                                       return -1;
                                len = *len_ptr - presym;
                                if ((s8)len < 0)
                                        len += 17;