mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-09-29 08:11:13 +00:00
LibCompress: Avoid buffer overrun when building canonical Huffman code
Previously, decompressing a DEFLATE stream an invalid canonical Huffman code could cause a buffer overrun. We now return an error in this case.
This commit is contained in:
parent
bc6638682d
commit
2f26a7bb12
Notes:
sideshowbarker
2024-07-17 22:41:14 +09:00
Author: https://github.com/tcl3 Commit: https://github.com/SerenityOS/serenity/commit/2f26a7bb12 Pull-request: https://github.com/SerenityOS/serenity/pull/21391 Reviewed-by: https://github.com/timschumi ✅
|
@ -55,6 +55,13 @@ TEST_CASE(canonical_code_complex)
|
|||
EXPECT_EQ(MUST(huffman.read_symbol(bit_stream)), output[idx]);
|
||||
}
|
||||
|
||||
TEST_CASE(invalid_canonical_code)
|
||||
{
|
||||
Array<u8, 257> code;
|
||||
code.fill(0x08);
|
||||
EXPECT(Compress::CanonicalCode::from_bytes(code).is_error());
|
||||
}
|
||||
|
||||
TEST_CASE(deflate_decompress_compressed_block)
|
||||
{
|
||||
Array<u8, 28> const compressed {
|
||||
|
|
|
@ -100,6 +100,9 @@ ErrorOr<CanonicalCode> CanonicalCode::from_bytes(ReadonlyBytes bytes)
|
|||
return Error::from_string_literal("Failed to decode code lengths");
|
||||
|
||||
if (code_length <= CanonicalCode::max_allowed_prefixed_code_length) {
|
||||
if (number_of_prefix_codes >= prefix_codes.size())
|
||||
return Error::from_string_literal("Invalid canonical Huffman code");
|
||||
|
||||
auto& prefix_code = prefix_codes[number_of_prefix_codes++];
|
||||
prefix_code.symbol_code = next_code;
|
||||
prefix_code.symbol_value = symbol;
|
||||
|
|
Loading…
Reference in a new issue