From e02ea0a6b4aec8b3475ea24522f254affb6cfcd3 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 6 Sep 2014 01:08:03 -0500 Subject: [PATCH] lzx-decompress.c: Don't allow using offsets of 0 This can happen if an uncompressed block is present, since then the match offset LRU queue is filled directly from the input buffer. Too-large offsets were already checked later, but offsets of 0 would cause uninitialized memory to remain in the output buffer. --- src/lzx-decompress.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lzx-decompress.c b/src/lzx-decompress.c index f98b630d..513944ee 100644 --- a/src/lzx-decompress.c +++ b/src/lzx-decompress.c @@ -383,6 +383,10 @@ lzx_read_block_header(struct input_bitstream *istream, queue->R[0] = bitstream_read_u32(istream); queue->R[1] = bitstream_read_u32(istream); queue->R[2] = bitstream_read_u32(istream); + + /* Offsets of 0 are invalid. */ + if (queue->R[0] == 0 || queue->R[1] == 0 || queue->R[2] == 0) + return -1; break; default: -- 2.43.0