lzx-decompress.c: Don't allow using offsets of 0

This can happen if an uncompressed block is present, since then the match
offset LRU queue is filled directly from the input buffer.  Too-large
offsets were already checked later, but offsets of 0 would cause
uninitialized memory to remain in the output buffer.

diff --git a/src/lzx-decompress.c b/src/lzx-decompress.c
index f98b630d7ecdb9b025934c60de415f33add6e747..513944ee18525ab69715bb0341188b2044ad2322 100644 (file)
--- a/src/lzx-decompress.c
+++ b/src/lzx-decompress.c
@@ -383,6 +383,10 @@ lzx_read_block_header(struct input_bitstream *istream,
                queue->R[0] = bitstream_read_u32(istream);
                queue->R[1] = bitstream_read_u32(istream);
                queue->R[2] = bitstream_read_u32(istream);
+
+               /* Offsets of 0 are invalid.  */
+               if (queue->R[0] == 0 || queue->R[1] == 0 || queue->R[2] == 0)
+                       return -1;
                break;
 
        default: