Skip to content

Commit

Permalink
FIX: incorrect array index bound check in tree lookup #7
Browse files Browse the repository at this point in the history
  • Loading branch information
ende76 committed Oct 26, 2015
1 parent 65e7013 commit d9ebec0
Show file tree
Hide file tree
Showing 5 changed files with 22 additions and 6 deletions.
2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "brotli"
version = "0.3.8"
version = "0.3.9"
authors = ["Thomas Pickert <[email protected]>"]
license = "Apache-2.0"
repository = "https://github.com/ende76/brotli-rs"
Expand Down
7 changes: 6 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,15 @@ Compression provides a <Read>-struct to wrap a Brotli-compressed stream. A consu

## Changelog

###v0.3.8 -> v0.3.9
----------------

Fixed incorrect array index bound check in tree lookup. (Thanks, [Corey](https://github.com/frewsxcv)!).

###v0.3.7 -> v0.3.8
----------------

Fixed some value range checks on block types and ntree* (Thanks, [Corey](https://github.com/frewsxcv)!).
Fixed some value range checks on block types and ntree*. (Thanks, [Corey](https://github.com/frewsxcv)!).

###v0.3.6 -> v0.3.7
----------------
Expand Down
5 changes: 2 additions & 3 deletions src/huffman/tree/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ pub struct Tree {
//
// Length of self.buf[] = 2^(codelength + 1) - 1
//
const MAX_INDEX: usize = 32768 - 2;

impl Tree {
pub fn with_max_depth(max_depth: usize) -> Tree {
Expand Down Expand Up @@ -66,7 +65,7 @@ impl Tree {
};
}

if insert_at_index > MAX_INDEX {
if insert_at_index > self.buf.len() - 1 {
panic!("Index {:?} exceeds MAX_INDEX at insert (code = {:?})", insert_at_index, code);
}

Expand All @@ -82,7 +81,7 @@ impl Tree {
Err(e) => return Err(e),
};

if lookup_index > MAX_INDEX {
if lookup_index > self.buf.len() - 1 {
return Ok(None);
}

Expand Down
2 changes: 1 addition & 1 deletion src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use brotli::Decompressor;

fn main() {
let mut input = vec![];
let _ = Decompressor::new(&b"\x1b\x3f\x00\xff\xff\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);
let _ = Decompressor::new(&b"\x11\x3f\x00\x00\x24\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);

println!("{:?}", input);
}
12 changes: 12 additions & 0 deletions tests/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,18 @@ fn should_decompress_to_empty_string_frewsxcv_04() {
assert_eq!(Vec::<u8>::new(), input);
}

#[test]
/// frewsxcv: fuzzer-test
/// exposes wrong bound checks on tree lookup array bounds
/// found and reported by Corey Farwell – https://github.com/ende76/brotli-rs/issues/7
fn should_decompress_to_empty_string_frewsxcv_05() {
use std::io::Read;
use brotli::Decompressor;
let mut input = vec![];
let _ = Decompressor::new(&b"\x11\x3f\x00\x00\x24\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input);

assert_eq!(Vec::<u8>::new(), input);
}

fn inverse_move_to_front_transform(v: &mut[u8]) {
let mut mtf: Vec<u8> = vec![0; 256];
Expand Down

0 comments on commit d9ebec0

Please sign in to comment.