Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix shift overflow in inflate and send_code.
Browse files Browse the repository at this point in the history
mtl1979 committed Jan 27, 2025
1 parent a0fa247 commit 49c8e86
Showing 4 changed files with 18 additions and 12 deletions.
4 changes: 2 additions & 2 deletions infback.c
Original file line number Diff line number Diff line change
@@ -102,7 +102,7 @@ int32_t Z_EXPORT PREFIX(inflateBackInit_)(PREFIX3(stream) *strm, int32_t windowB
do { \
PULL(); \
have--; \
hold += ((unsigned)(*next++) << bits); \
hold += ((uint64_t)(*next++) << bits); \
bits += 8; \
} while (0)

@@ -154,7 +154,7 @@ int32_t Z_EXPORT PREFIX(inflateBack)(PREFIX3(stream) *strm, in_func in, void *in
z_const unsigned char *next; /* next input */
unsigned char *put; /* next output */
unsigned have, left; /* available input and output */
uint32_t hold; /* bit buffer */
uint64_t hold; /* bit buffer */
unsigned bits; /* bits in bit buffer */
unsigned copy; /* number of stored or match bytes to copy */
unsigned char *from; /* where to copy match bytes from */
12 changes: 6 additions & 6 deletions inflate.c
Original file line number Diff line number Diff line change
@@ -291,7 +291,7 @@ int32_t Z_EXPORT PREFIX(inflatePrime)(PREFIX3(stream) *strm, int32_t bits, int32
if (bits > 16 || state->bits + (unsigned int)bits > 32)
return Z_STREAM_ERROR;
value &= (1L << bits) - 1;
state->hold += (unsigned)value << state->bits;
state->hold += (uint64_t)value << state->bits;
state->bits += (unsigned int)bits;
return Z_OK;
}
@@ -387,7 +387,7 @@ static void updatewindow(PREFIX3(stream) *strm, const uint8_t *end, uint32_t len
do { \
if (have == 0) goto inf_leave; \
have--; \
hold += ((unsigned)(*next++) << bits); \
hold += ((uint64_t)(*next++) << bits); \
bits += 8; \
} while (0)

@@ -479,7 +479,7 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
unsigned char *put; /* next output */
unsigned char *from; /* where to copy match bytes from */
unsigned have, left; /* available input and output */
uint32_t hold; /* bit buffer */
uint64_t hold; /* bit buffer */
unsigned bits; /* bits in bit buffer */
uint32_t in, out; /* save starting available input and output */
unsigned copy; /* number of stored or match bytes to copy */
@@ -577,7 +577,7 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
case TIME:
NEEDBITS(32);
if (state->head != NULL)
state->head->time = hold;
state->head->time = (unsigned)(hold);
if ((state->flags & 0x0200) && (state->wrap & 4))
CRC4(state->check, hold);
INITBITS();
@@ -704,7 +704,7 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
#endif
case DICTID:
NEEDBITS(32);
strm->adler = state->check = ZSWAP32(hold);
strm->adler = state->check = ZSWAP32((unsigned)hold);
INITBITS();
state->mode = DICT;
Z_FALLTHROUGH;
@@ -1128,7 +1128,7 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
#ifdef GUNZIP
state->flags ? hold :
#endif
ZSWAP32(hold)) != state->check) {
ZSWAP32((unsigned)hold)) != state->check) {
SET_BAD("incorrect data check");
break;
}
4 changes: 2 additions & 2 deletions inflate.h
Original file line number Diff line number Diff line change
@@ -121,7 +121,7 @@ struct ALIGNED_(64) inflate_state {
uint32_t chunksize; /* size of memory copying chunk */

/* bit accumulator */
uint32_t hold; /* input bit accumulator */
uint64_t hold; /* input bit accumulator */
unsigned bits; /* number of bits in "in" */
/* fixed and dynamic code tables */
unsigned lenbits; /* index bits for lencode */
@@ -141,7 +141,7 @@ struct ALIGNED_(64) inflate_state {
code *next; /* next available space in codes[] */

#if defined(_M_IX86) || defined(_M_ARM)
uint32_t padding[2];
uint32_t padding[1];
#endif
struct crc32_fold_s ALIGNED_(16) crc_fold;

10 changes: 8 additions & 2 deletions trees_emit.h
Original file line number Diff line number Diff line change
@@ -53,9 +53,15 @@ extern Z_INTERNAL const int base_dist[D_CODES];
bi_buf = val;\
bi_valid = len;\
} else {\
bi_buf |= val << bi_valid;\
if (bi_valid < BIT_BUF_SIZE) {\
bi_buf |= val << bi_valid;\
}\
put_uint64(s, bi_buf);\
bi_buf = val >> (BIT_BUF_SIZE - bi_valid);\
if (bi_valid < BIT_BUF_SIZE) {\
bi_buf = val >> (BIT_BUF_SIZE - bi_valid);\
} else {\
bi_buf = val;\
}\
bi_valid = total_bits - BIT_BUF_SIZE;\
}\
}

0 comments on commit 49c8e86

Please sign in to comment.