From: Eric Biggers <ebiggers3@gmail.com>
Date: Fri, 27 Mar 2015 05:16:58 +0000 (-0500)
Subject: lzx_decompress.c: add missing validation in RLE length decoding
X-Git-Tag: v1.8.1~57
X-Git-Url: https://wimlib.net/git/?p=wimlib;a=commitdiff_plain;h=abd8714418efc184deb7bc20172025cc1672b763;hp=0b1278f508ef7606c822edadb3958c2c3648b419

lzx_decompress.c: add missing validation in RLE length decoding

Bad input found by afl-fuzz:

	1f 20 00 42 00 00 33 03 45 43 45 00 20 00 00 0e
---

diff --git a/src/lzx_decompress.c b/src/lzx_decompress.c
index dba27665..fe5bdbad 100644
--- a/src/lzx_decompress.c
+++ b/src/lzx_decompress.c
@@ -228,6 +228,8 @@ lzx_read_codeword_lens(struct input_bitstream *istream, u8 *lens, unsigned num_l
 				run_len = 4 + bitstream_read_bits(istream, 1);
 				presym = read_huffsym_using_precode(istream,
 								    precode_decode_table);
+				if (unlikely(presym > 17))
+					return -1;
 				len = *len_ptr - presym;
 				if ((s8)len < 0)
 					len += 17;