1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
diff --git a/mspack/chmd.c b/mspack/chmd.c
index 5a6ef54..1a486c8 100644
--- a/mspack/chmd.c
+++ b/mspack/chmd.c
@@ -1269,9 +1269,15 @@ static int read_spaninfo(struct mschm_decompressor_p *self,
/* get the uncompressed length of the LZX stream */
err = read_off64(length_ptr, data, sys, self->d->infh);
-
sys->free(data);
- return (err) ? MSPACK_ERR_DATAFORMAT : MSPACK_ERR_OK;
+ if (err) return MSPACK_ERR_DATAFORMAT;
+
+ if (*length_ptr <= 0) {
+ D(("output length is invalid"))
+ return MSPACK_ERR_DATAFORMAT;
+ }
+
+ return MSPACK_ERR_OK;
}
/***************************************
diff --git a/mspack/lzxd.c b/mspack/lzxd.c
index 2281e7b..d164df9 100644
--- a/mspack/lzxd.c
+++ b/mspack/lzxd.c
@@ -300,8 +300,14 @@ struct lzxd_stream *lzxd_init(struct mspack_system *system,
if (window_bits < 15 || window_bits > 21) return NULL;
}
+ if (reset_interval < 0 || output_length < 0) {
+ D(("reset interval or output length < 0"))
+ return NULL;
+ }
+
+ /* round up input buffer size to multiple of two */
input_buffer_size = (input_buffer_size + 1) & -2;
- if (!input_buffer_size) return NULL;
+ if (input_buffer_size < 2) return NULL;
/* allocate decompression state */
if (!(lzx = (struct lzxd_stream *) system->alloc(system, sizeof(struct lzxd_stream)))) {
@@ -382,7 +388,7 @@ int lzxd_set_reference_data(struct lzxd_stream *lzx,
}
void lzxd_set_output_length(struct lzxd_stream *lzx, off_t out_bytes) {
- if (lzx) lzx->length = out_bytes;
+ if (lzx && out_bytes > 0) lzx->length = out_bytes;
}
int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
diff --git a/mspack/mszipd.c b/mspack/mszipd.c
index 5b4756d..6ecd96d 100644
--- a/mspack/mszipd.c
+++ b/mspack/mszipd.c
@@ -349,8 +349,9 @@ struct mszipd_stream *mszipd_init(struct mspack_system *system,
if (!system) return NULL;
+ /* round up input buffer size to multiple of two */
input_buffer_size = (input_buffer_size + 1) & -2;
- if (!input_buffer_size) return NULL;
+ if (input_buffer_size < 2) return NULL;
/* allocate decompression state */
if (!(zip = (struct mszipd_stream *) system->alloc(system, sizeof(struct mszipd_stream)))) {
diff --git a/mspack/qtmd.c b/mspack/qtmd.c
index 12b27f5..5d2c76f 100644
--- a/mspack/qtmd.c
+++ b/mspack/qtmd.c
@@ -197,6 +197,7 @@ struct qtmd_stream *qtmd_init(struct mspack_system *system,
/* Quantum supports window sizes of 2^10 (1Kb) through 2^21 (2Mb) */
if (window_bits < 10 || window_bits > 21) return NULL;
+ /* round up input buffer size to multiple of two */
input_buffer_size = (input_buffer_size + 1) & -2;
if (input_buffer_size < 2) return NULL;
|
