From 600d8871435977633fa47b91fe570e634b2000fb Mon Sep 17 00:00:00 2001 From: Roy Oursler Date: Mon, 24 Oct 2016 21:13:47 -0400 Subject: [PATCH] igzip: Fix bug in inflate when exactly one distance is coded Initialize the lookup table so invalid lookups do not cause segfaults. Change-Id: Ibb88c4c473fa233f8821c35b3e32ff62814c2b15 Signed-off-by: Roy Oursler --- igzip/igzip_fuzz_inflate.c | 2 ++ igzip/igzip_inflate.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/igzip/igzip_fuzz_inflate.c b/igzip/igzip_fuzz_inflate.c index 58ee637..844e9fb 100644 --- a/igzip/igzip_fuzz_inflate.c +++ b/igzip/igzip_fuzz_inflate.c @@ -60,6 +60,8 @@ int main(int argc, char *argv[]) fread(in_buf, 1, in_file_size, in); /* Inflate data with isal_inflate */ + memset(state, 0xff, sizeof(struct inflate_state)); + isal_inflate_init(state); state->next_in = in_buf; state->avail_in = in_file_size; diff --git a/igzip/igzip_inflate.c b/igzip/igzip_inflate.c index 7d395bf..1c80638 100644 --- a/igzip/igzip_inflate.c +++ b/igzip/igzip_inflate.c @@ -190,6 +190,9 @@ static void inline make_inflate_huff_code_large(struct inflate_huff_code_large * last_length = huff_code_table[code_list[0]].length; copy_size = (1 << last_length); + /* Initialize short_code_lookup, so invalid lookups process data */ + memset(short_code_lookup, 0x1d, copy_size * sizeof(*short_code_lookup)); + for (k = 0; k < code_list_len; k++) { i = code_list[k]; if (huff_code_table[i].length > ISAL_DECODE_LONG_BITS) @@ -342,6 +345,9 @@ static void inline make_inflate_huff_code_small(struct inflate_huff_code_small * last_length = huff_code_table[code_list[0]].length; copy_size = (1 << last_length); + /* Initialize short_code_lookup, so invalid lookups process data */ + memset(short_code_lookup, 0x1d, copy_size * sizeof(*short_code_lookup)); + for (k = 0; k < code_list_len; k++) { i = code_list[k]; if (huff_code_table[i].length > ISAL_DECODE_SHORT_BITS)