Closed
Description
Hi. It seems that zstd will read illegal pointers and crash when presented with mangled archives. Here's one such example file (GitHub doesn't allow binary attachments, so I'm providing a hex dump):
0000000 fd 2f b5 1c 00 00 1c 40 00 12 31 32 31 31 31 31
0000020 31 31 31 31 32 32 32 32 32 32 32 0a 10 98 00 ff
0000040 7f 00 84 c0 00 00
Here's what gdb has to say about this problem:
(gdb) run -d <example.zst >example
Starting program: zstd -d <example.zst >example
Program received signal SIGSEGV, Segmentation fault.
0x0000000000410965 in ZSTD_decompressBlock (srcSize=28, src=0x801011000, maxDstSize=524288, dst=0x801032000, ctx=0x801006000) at lib/zstd.c:1533
(gdb) bt
#0 0x0000000000410965 in ZSTD_decompressBlock (srcSize=28, src=0x801011000, maxDstSize=524288, dst=0x801032000, ctx=0x801006000) at lib/zstd.c:1533
#1 ZSTD_decompressContinue (dctx=0x801006000, dst=0x801032000, maxDstSize=524288, src=0x801011000, srcSize=31) at lib/zstd.c:1680
#2 0x0000000000408681 in FIO_decompressFilename (output_filename=0x410f65 "-",input_filename=0x410f65 "-") at programs/fileio.c:363
#3 0x0000000000401a4d in main (argc=2, argv=0x7fffffffd9d0) at programs/zstdcli.c:314
This is with zstd as of commit 00f9507; the crash is located over here. The problem is that ZSTD_decompressBlock does not validate how big matchLength can get; in this case it is equal to 8650883, while the maxDstSize is only 524288 bytes, which results in an attempt to copy past the end of the output buffer.
Metadata
Metadata
Assignees
Labels
No labels