Added: Sanity check that the user provided a valid compressed data si…

…ze to bz3_decode_block
kspalaiologos · Dec 14, 2024 · f682023 · f682023
1 parent 510c4ca
commit f682023
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 13 deletions.
diff --git a/include/libbz3.h b/include/libbz3.h
@@ -185,10 +185,10 @@ BZIP3_API int32_t bz3_encode_block(struct bz3_state * state, uint8_t * buffer, i
  * The size must not exceed the block size associated with the state.
  * 
  * @param buffer_size The size of the buffer at 'buffer'
- * @param size The size of the compressed data in 'buffer'
+ * @param compressed_size The size of the compressed data in 'buffer'
  * @param orig_size The original size of the data before compression.
  */
-BZIP3_API int32_t bz3_decode_block(struct bz3_state * state, uint8_t * buffer, size_t buffer_size, int32_t size, int32_t orig_size);
+BZIP3_API int32_t bz3_decode_block(struct bz3_state * state, uint8_t * buffer, size_t buffer_size, int32_t compressed_size, int32_t orig_size);
 
 /**
  * @brief Encode `n' blocks, all in parallel.

diff --git a/src/libbz3.c b/src/libbz3.c
@@ -645,9 +645,9 @@ BZIP3_API s32 bz3_encode_block(struct bz3_state * state, u8 * buffer, s32 data_s
     return data_size + overhead * 4 + 1;
 }
 
-BZIP3_API s32 bz3_decode_block(struct bz3_state * state, u8 * buffer, size_t buffer_size, s32 data_size, s32 orig_size) {
-    // Need minimum bytes for initial header
-    if (buffer_size < 9) {
+BZIP3_API s32 bz3_decode_block(struct bz3_state * state, u8 * buffer, size_t buffer_size, s32 compressed_size, s32 orig_size) {
+    // Need minimum bytes for initial header, and compressed_size needs to fit within claimed buffer size.
+    if (buffer_size < 9 || buffer_size < compressed_size) {
         state->last_error = BZ3_ERR_DATA_SIZE_TOO_SMALL;
         return -1;
     }
@@ -656,31 +656,31 @@ BZIP3_API s32 bz3_decode_block(struct bz3_state * state, u8 * buffer, size_t buf
     u32 crc32 = read_neutral_s32(buffer);
     s32 bwt_idx = read_neutral_s32(buffer + 4);
 
-    if (data_size > bz3_bound(state->block_size) || data_size < 0) {
+    if (compressed_size > bz3_bound(state->block_size) || compressed_size < 0) {
         state->last_error = BZ3_ERR_MALFORMED_HEADER;
         return -1;
     }
 
     if (bwt_idx == -1) {
-        if (data_size - 8 > 64 || data_size < 8) {
+        if (compressed_size - 8 > 64 || compressed_size < 8) {
             state->last_error = BZ3_ERR_MALFORMED_HEADER;
             return -1;
         }
 
         // Ensure there's enough space for the raw copied data.
-        if (data_size - 8 > buffer_size) {
+        if (compressed_size - 8 > buffer_size) {
             state->last_error = BZ3_ERR_DATA_SIZE_TOO_SMALL;
             return -1;
         }
 
-        memmove(buffer, buffer + 8, data_size - 8);
+        memmove(buffer, buffer + 8, compressed_size - 8);
 
-        if (crc32sum(1, buffer, data_size - 8) != crc32) {
+        if (crc32sum(1, buffer, compressed_size - 8) != crc32) {
             state->last_error = BZ3_ERR_CRC;
             return -1;
         }
 
-        return data_size - 8;
+        return compressed_size - 8;
     }
 
     s8 model = buffer[8];
@@ -697,7 +697,7 @@ BZIP3_API s32 bz3_decode_block(struct bz3_state * state, u8 * buffer, size_t buf
     if (model & 4) rle_size = read_neutral_s32(buffer + 9 + 4 * p++);
     p += 2;
 
-    data_size -= p * 4 + 1;
+    compressed_size -= p * 4 + 1;
 
     if (((model & 2) && (lzp_size > bz3_bound(state->block_size) || lzp_size < 0)) ||
         ((model & 4) && (rle_size > bz3_bound(state->block_size) || rle_size < 0))) {
@@ -734,7 +734,7 @@ BZIP3_API s32 bz3_decode_block(struct bz3_state * state, u8 * buffer, size_t buf
     begin(state->cm_state);
     state->cm_state->in_queue = b1 + p * 4 + 1;
     state->cm_state->input_ptr = 0;
-    state->cm_state->input_max = data_size;
+    state->cm_state->input_max = compressed_size;
 
     decode_bytes(state->cm_state, b2, size_before_bwt);
     swap(b1, b2);