More unbounded input fixes. Re-fix for px20 (#64)

temisu · Mar 18, 2024 · b0cacc3 · b0cacc3
1 parent c2c5491
commit b0cacc3
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/.github/workflows/ubuntu-20.04-make.yml b/.github/workflows/ubuntu-20.04-make.yml
@@ -15,3 +15,5 @@ jobs:
       run: sudo apt-get update && sudo apt-get install -y build-essential make
     - name: make
       run: make -f Makefile.unix EXTRA_CFLAGS=-Werror
+    - name: test
+      run: ./obj/test
diff --git a/src/CompressDecompressor.cpp b/src/CompressDecompressor.cpp
@@ -86,7 +86,7 @@ void CompressDecompressor::decompressImpl(Buffer &rawData,bool verify)
 	size_t prevCodePos=inputStream.getOffset();
 
 	uint32_t firstCode{readBits(codeBits)};
-	LZWDecoder decoder{1U<<_maxBits,_hasBlocks?257U:256U,69001U,firstCode};
+	LZWDecoder decoder{1U<<_maxBits,_hasBlocks?257U:256U,8192U,firstCode};
 	decoder.write(firstCode,false,writeByte);
 
 	// This is actually surprising for a compressor
@@ -101,7 +101,8 @@ void CompressDecompressor::decompressImpl(Buffer &rawData,bool verify)
 	auto reset=[&]()
 	{
 		bitReader.reset(0,0);
-		inputStream.setOffset(prevCodePos+codeBits);
+		prevCodePos+=codeBits;
+		inputStream.setOffset(prevCodePos);
 		codeCounter=0;
 	};
 

diff --git a/src/MMCMPDecompressor.cpp b/src/MMCMPDecompressor.cpp
@@ -33,6 +33,8 @@ MMCMPDecompressor::MMCMPDecompressor(const Buffer &packedData,bool exactSizeKnow
 	_blocks=packedData.readLE16(12U);
 	_blocksOffset=packedData.readLE32(18U);
 	_rawSize=packedData.readLE32(14U);
+	if (_rawSize>getMaxRawSize())
+		throw InvalidFormatError();
 	if (OverflowCheck::sum(_blocksOffset,uint32_t(_blocks)*4U)>packedData.size())
 		throw InvalidFormatError();
 

diff --git a/src/PPDecompressor.cpp b/src/PPDecompressor.cpp
@@ -318,7 +318,9 @@ void PPDecompressor::findKeyRound(BackwardInputStream &inputStream,LSBBitReader<
 		bitReader.readBitsBE32(count);
 	};
 
-	for (;;)
+	uint32_t foundIter=0;
+	// TODO: Random constant. For decompression/keyfinding bombs
+	while (foundIter<1024)
 	{
 		// this is the checkpoint. Hardly ideal, but best we can do without co-routines
 		inputOffset=uint32_t(inputStream.getOffset());
@@ -364,10 +366,12 @@ void PPDecompressor::findKeyRound(BackwardInputStream &inputStream,LSBBitReader<
 			count=modeIndex+2;
 			distance=readBits(_modeTable[modeIndex])+1;
 		}
-		if (outputPosition+count+distance>_rawSize || count>outputPosition)
+		if (outputPosition+distance>_rawSize || count>outputPosition)
 			failed=true;
 		if (failed) break;
 		outputPosition-=count;
+
+		if (keyMask==0xffff'ffffU) foundIter++;
 	}
 	if (failed) return;
 	// If not all bits are resolved, that is bad