FIX: arithmetic overflow on block type #6

ende76 · Oct 26, 2015 · 65e7013 · 65e7013
1 parent d1ba89d
commit 65e7013
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 9 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "brotli"
-version = "0.3.7"
+version = "0.3.8"
 authors = ["Thomas Pickert <ende.mail@web.de>"]
 license = "Apache-2.0"
 repository = "https://github.com/ende76/brotli-rs"

diff --git a/README.md b/README.md
@@ -8,6 +8,11 @@ Compression provides a <Read>-struct to wrap a Brotli-compressed stream. A consu
 
 ## Changelog
 
+###v0.3.7 -> v0.3.8
+----------------
+
+Fixed some value range checks on block types and ntree* (Thanks, [Corey](https://github.com/frewsxcv)!).
+
 ###v0.3.6 -> v0.3.7
 ----------------
 

diff --git a/src/lib.rs b/src/lib.rs
@@ -60,15 +60,15 @@ type Literal = u8;
 type Literals = Vec<Literal>;
 type MLenLiterals = Literals;
 type InsertLiterals = Literals;
-type NBltypes = u8;
+type NBltypes = u16;
+type NTrees = NBltypes;
 type BLen = u32;
 type BlockSwitch = (NBltypes, BLen);
 type NPostfix = u8;
 type NDirect = u8;
 type ContextMode = u16;
 type ContextModes = Vec<ContextMode>;
 type ContextMap = Vec<u8>;
-type NTrees = u8;
 type NSym = u8;
 type Symbol = u16;
 type Symbols = Vec<Symbol>;
@@ -579,12 +579,12 @@ impl<R: Read> Decompressor<R> {
 		};
 
 		if extra_bits > 0 {
-			match self.in_stream.read_u8_from_n_bits(extra_bits) {
-				Ok(extra) => Ok(value as NBltypes + extra),
+			match self.in_stream.read_u16_from_n_bits(extra_bits) {
+				Ok(extra) => Ok(value + extra),
 				Err(_) => Err(DecompressorError::UnexpectedEOF),
 			}
 		} else {
-			Ok(value as NBltypes)
+			Ok(value)
 		}
 	}
 
@@ -1139,7 +1139,7 @@ impl<R: Read> Decompressor<R> {
 
 		// debug(&format!("RLEMAX = {:?}", rlemax));
 
-		let alphabet_size = (rlemax + n_trees as u16) as usize;
+		let alphabet_size = (rlemax + n_trees) as usize;
 
 		// debug(&format!("Alphabet Size = {:?}", alphabet_size));
 
@@ -1347,7 +1347,7 @@ impl<R: Read> Decompressor<R> {
 		let block_type = match block_type_code {
 			0 => btype_prev,
 			1 => (btype + 1) % n_bltypes,
-			2...255 => (block_type_code - 2) as u8,
+			2...258 => block_type_code - 2,
 			_ => return Err(DecompressorError::InvalidBlockTypeCode),
 		};
 

diff --git a/src/main.rs b/src/main.rs
@@ -5,5 +5,7 @@ use brotli::Decompressor;
 
 fn main() {
     let mut input = vec![];
-    let _ = Decompressor::new(&b"\x30\x30\x40\x00\x00\x00\x00\x00".to_vec() as &[u8]).read_to_end(&mut input);
+    let _ = Decompressor::new(&b"\x1b\x3f\x00\xff\xff\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);
+
+    println!("{:?}", input);
 }
diff --git a/tests/lib.rs b/tests/lib.rs
@@ -377,6 +377,19 @@ fn should_reject_frewsxcv_03() {
 	}
 }
 
+#[test]
+/// frewsxcv: fuzzer-test
+/// edge case for block type value, which _looks_ like a u8 but is just slightly bigger
+/// found and reported by Corey Farwell – https://github.com/ende76/brotli-rs/issues/6
+fn should_decompress_to_empty_string_frewsxcv_04() {
+	use std::io::Read;
+	use brotli::Decompressor;
+	let mut input = vec![];
+	let _ = Decompressor::new(&b"\x1b\x3f\x00\xff\xff\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);
+
+	assert_eq!(Vec::<u8>::new(), input);
+}
+
 
 fn inverse_move_to_front_transform(v: &mut[u8]) {
 	let mut mtf: Vec<u8> = vec![0; 256];