FIX: too small of a type chosen for runlength code #8

ende76 · Oct 26, 2015 · 13865a4 · 13865a4
1 parent d9ebec0
commit 13865a4
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 5 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "brotli"
-version = "0.3.9"
+version = "0.3.10"
 authors = ["Thomas Pickert <ende.mail@web.de>"]
 license = "Apache-2.0"
 repository = "https://github.com/ende76/brotli-rs"

diff --git a/README.md b/README.md
@@ -8,6 +8,11 @@ Compression provides a <Read>-struct to wrap a Brotli-compressed stream. A consu
 
 ## Changelog
 
+###v0.3.9 -> v0.3.10
+----------------
+
+Fixed incorrect type for runlength code. (Thanks, [Corey](https://github.com/frewsxcv)!).
+
 ###v0.3.8 -> v0.3.9
 ----------------
 

diff --git a/src/lib.rs b/src/lib.rs
@@ -1159,7 +1159,7 @@ impl<R: Read> Decompressor<R> {
 					// debug(&format!("run length code = {:?}", run_length_code));
 
 					let repeat = match self.in_stream.read_u16_from_n_bits(run_length_code as usize) {
-						Ok(my_u16) => (1 << run_length_code) + my_u16,
+						Ok(my_u16) => (1u32 << run_length_code) + my_u16 as u32,
 						Err(_) => return Err(DecompressorError::UnexpectedEOF),
 					};
 

diff --git a/src/main.rs b/src/main.rs
@@ -4,8 +4,8 @@ use std::io::Read;
 use brotli::Decompressor;
 
 fn main() {
-    let mut input = vec![];
-    let _ = Decompressor::new(&b"\x11\x3f\x00\x00\x24\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);
+	let mut input = vec![];
+	let _ = Decompressor::new(&b"\x15\x3f\x60\x00\x15\x3f\x60\x00\x27\xb0\xdb\xa8\x80\x25\x27\xb0\xdb\x40\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);
 
-    println!("{:?}", input);
+	println!("{:?}", input);
 }
diff --git a/tests/lib.rs b/tests/lib.rs
@@ -403,6 +403,19 @@ fn should_decompress_to_empty_string_frewsxcv_05() {
 	assert_eq!(Vec::<u8>::new(), input);
 }
 
+#[test]
+/// frewsxcv: fuzzer-test
+/// exposes shift overflow if too small a type has been chosen for runlength code
+/// found and reported by Corey Farwell – https://github.com/ende76/brotli-rs/issues/8
+fn should_decompress_to_empty_string_frewsxcv_06() {
+	use std::io::Read;
+	use brotli::Decompressor;
+	let mut input = vec![];
+	let _ = Decompressor::new(&b"\x15\x3f\x60\x00\x15\x3f\x60\x00\x27\xb0\xdb\xa8\x80\x25\x27\xb0\xdb\x40\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);
+
+	assert_eq!(Vec::<u8>::new(), input);
+}
+
 fn inverse_move_to_front_transform(v: &mut[u8]) {
 	let mut mtf: Vec<u8> = vec![0; 256];
 	let v_len = v.len();