lzx-decompress.c: Don't allow using offsets of 0
authorEric Biggers <ebiggers3@gmail.com>
Sat, 6 Sep 2014 06:08:03 +0000 (01:08 -0500)
committerEric Biggers <ebiggers3@gmail.com>
Sat, 6 Sep 2014 06:08:03 +0000 (01:08 -0500)
This can happen if an uncompressed block is present, since then the match
offset LRU queue is filled directly from the input buffer.  Too-large
offsets were already checked later, but offsets of 0 would cause
uninitialized memory to remain in the output buffer.

src/lzx-decompress.c

index f98b630d7ecdb9b025934c60de415f33add6e747..513944ee18525ab69715bb0341188b2044ad2322 100644 (file)
@@ -383,6 +383,10 @@ lzx_read_block_header(struct input_bitstream *istream,
                queue->R[0] = bitstream_read_u32(istream);
                queue->R[1] = bitstream_read_u32(istream);
                queue->R[2] = bitstream_read_u32(istream);
+
+               /* Offsets of 0 are invalid.  */
+               if (queue->R[0] == 0 || queue->R[1] == 0 || queue->R[2] == 0)
+                       return -1;
                break;
 
        default: