diff options
| author | Jeffrey Walton <noloader@gmail.com> | 2017-05-10 04:15:42 -0400 |
|---|---|---|
| committer | Jeffrey Walton <noloader@gmail.com> | 2017-05-10 04:15:42 -0400 |
| commit | 9b383e8a07ca323d95f1bd378698d1f2e2c37db9 (patch) | |
| tree | 4046021cb8308141d25d68fd4d88abaadd25bf15 /zinflate.cpp | |
| parent | 093499260ec23c901059c45a4048781a8da41848 (diff) | |
| download | cryptopp-git-9b383e8a07ca323d95f1bd378698d1f2e2c37db9.tar.gz | |
Clear out-of-bounds read when fuzzing
zinflate.cpp:553:41: runtime error: index 30 out of bounds for type 'unsigned int [30]'
zinflate.cpp:553:11: runtime error: load of address 0x0000011806b8 with insufficient space for an object of type 'const unsigned int'
zinflate.cpp:32:32: runtime error: shift exponent 64 is too large for 64-bit type 'long unsigned int'
Diffstat (limited to 'zinflate.cpp')
| -rw-r--r-- | zinflate.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/zinflate.cpp b/zinflate.cpp index 6d8c31e7..62431771 100644 --- a/zinflate.cpp +++ b/zinflate.cpp @@ -550,7 +550,9 @@ bool Inflator::DecodeBody() break;
}
case DISTANCE_BITS:
- bits = distanceExtraBits[m_distance];
+ // TODO: this surfaced during fuzzing. What do we do???
+ CRYPTOPP_ASSERT(m_distance < COUNTOF(distanceExtraBits));
+ bits = (m_distance >= COUNTOF(distanceExtraBits)) ? distanceExtraBits[29] : distanceExtraBits[m_distance];
if (!m_reader.FillBuffer(bits))
{
m_nextDecode = DISTANCE_BITS;
|