From: Eric Biggers Date: Sat, 6 Sep 2014 06:08:03 +0000 (-0500) Subject: lzx-decompress.c: Don't allow using offsets of 0 X-Git-Tag: v1.7.2~29 X-Git-Url: https://wimlib.net/git/?p=wimlib;a=commitdiff_plain;h=e02ea0a6b4aec8b3475ea24522f254affb6cfcd3 lzx-decompress.c: Don't allow using offsets of 0 This can happen if an uncompressed block is present, since then the match offset LRU queue is filled directly from the input buffer. Too-large offsets were already checked later, but offsets of 0 would cause uninitialized memory to remain in the output buffer. --- diff --git a/src/lzx-decompress.c b/src/lzx-decompress.c index f98b630d..513944ee 100644 --- a/src/lzx-decompress.c +++ b/src/lzx-decompress.c @@ -383,6 +383,10 @@ lzx_read_block_header(struct input_bitstream *istream, queue->R[0] = bitstream_read_u32(istream); queue->R[1] = bitstream_read_u32(istream); queue->R[2] = bitstream_read_u32(istream); + + /* Offsets of 0 are invalid. */ + if (queue->R[0] == 0 || queue->R[1] == 0 || queue->R[2] == 0) + return -1; break; default: