From d9ebec055f92a4e62f8cb3a0066d03981407e77f Mon Sep 17 00:00:00 2001 From: Ende Date: Sun, 25 Oct 2015 22:45:42 -0400 Subject: [PATCH] FIX: incorrect array index bound check in tree lookup #7 --- Cargo.toml | 2 +- README.md | 7 ++++++- src/huffman/tree/mod.rs | 5 ++--- src/main.rs | 2 +- tests/lib.rs | 12 ++++++++++++ 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index f867cfe..104172f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "brotli" -version = "0.3.8" +version = "0.3.9" authors = ["Thomas Pickert "] license = "Apache-2.0" repository = "https://github.com/ende76/brotli-rs" diff --git a/README.md b/README.md index 9e3e2eb..0162216 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,15 @@ Compression provides a -struct to wrap a Brotli-compressed stream. A consu ## Changelog +###v0.3.8 -> v0.3.9 +---------------- + +Fixed incorrect array index bound check in tree lookup. (Thanks, [Corey](https://github.com/frewsxcv)!). + ###v0.3.7 -> v0.3.8 ---------------- -Fixed some value range checks on block types and ntree* (Thanks, [Corey](https://github.com/frewsxcv)!). +Fixed some value range checks on block types and ntree*. (Thanks, [Corey](https://github.com/frewsxcv)!). ###v0.3.6 -> v0.3.7 ---------------- diff --git a/src/huffman/tree/mod.rs b/src/huffman/tree/mod.rs index 09ed5c8..2be143f 100644 --- a/src/huffman/tree/mod.rs +++ b/src/huffman/tree/mod.rs @@ -32,7 +32,6 @@ pub struct Tree { // // Length of self.buf[] = 2^(codelength + 1) - 1 // -const MAX_INDEX: usize = 32768 - 2; impl Tree { pub fn with_max_depth(max_depth: usize) -> Tree { @@ -66,7 +65,7 @@ impl Tree { }; } - if insert_at_index > MAX_INDEX { + if insert_at_index > self.buf.len() - 1 { panic!("Index {:?} exceeds MAX_INDEX at insert (code = {:?})", insert_at_index, code); } @@ -82,7 +81,7 @@ impl Tree { Err(e) => return Err(e), }; - if lookup_index > MAX_INDEX { + if lookup_index > self.buf.len() - 1 { return Ok(None); } diff --git a/src/main.rs b/src/main.rs index cee43bb..89c93f8 100644 --- a/src/main.rs +++ b/src/main.rs @@ -5,7 +5,7 @@ use brotli::Decompressor; fn main() { let mut input = vec![]; - let _ = Decompressor::new(&b"\x1b\x3f\x00\xff\xff\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input); + let _ = Decompressor::new(&b"\x11\x3f\x00\x00\x24\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input); println!("{:?}", input); } \ No newline at end of file diff --git a/tests/lib.rs b/tests/lib.rs index 47fe26e..a0f55d5 100644 --- a/tests/lib.rs +++ b/tests/lib.rs @@ -390,6 +390,18 @@ fn should_decompress_to_empty_string_frewsxcv_04() { assert_eq!(Vec::::new(), input); } +#[test] +/// frewsxcv: fuzzer-test +/// exposes wrong bound checks on tree lookup array bounds +/// found and reported by Corey Farwell – https://github.com/ende76/brotli-rs/issues/7 +fn should_decompress_to_empty_string_frewsxcv_05() { + use std::io::Read; + use brotli::Decompressor; + let mut input = vec![]; + let _ = Decompressor::new(&b"\x11\x3f\x00\x00\x24\xb0\xe2\x99\x80\x12".to_vec() as &[u8]).read_to_end(&mut input); + + assert_eq!(Vec::::new(), input); +} fn inverse_move_to_front_transform(v: &mut[u8]) { let mut mtf: Vec = vec![0; 256];