commit ad50c59bb7d91e205957bfa61e70b4748368be10
author Yann Collet <yann.collet.73@gmail.com> Sat Nov 28 17:09:28 2015 +0100
committer Yann Collet <yann.collet.73@gmail.com> Sat Nov 28 17:09:28 2015 +0100
tree bbb3414111f5fc6a645e6f3f775f2d9272be0aff
parent 00fd7a21101e50a928c5164a758c35b25994acf5

fixed decoder error (32-bits mode, malicious input)

lib/zstd_decompress.c

diff --git a/lib/zstd_decompress.c b/lib/zstd_decompress.c
index bd6cb09..66de4bc 100644
--- a/lib/zstd_decompress.c
+++ b/lib/zstd_decompress.c
@@ -785,11 +785,12 @@
     if (srcSize != ctx->expected) return ERROR(srcSize_wrong);
     if (dst != ctx->previousDstEnd)   /* not contiguous */
     {
-        ctx->dictEnd = ctx->previousDstEnd;
-        if ((dst > ctx->base) && (dst < ctx->previousDstEnd))   /* rolling buffer : new segment right into tracked memory */
+        if (((char*)dst + maxDstSize > (char*)ctx->base) && (dst < ctx->previousDstEnd))   /* rolling buffer : new segment into dictionary */
             ctx->base = (char*)dst + maxDstSize;   /* temporary affectation, for vBase calculation */
-        ctx->vBase = (char*)dst - ((char*)(ctx->dictEnd) - (char*)(ctx->base));
+        ctx->dictEnd = ctx->previousDstEnd;
+        ctx->vBase = (char*)dst - ((char*)(ctx->previousDstEnd) - (char*)(ctx->base));
         ctx->base = dst;
+        ctx->previousDstEnd = dst;
     }
 
     /* Decompress : frame header; part 1 */
@@ -839,7 +840,6 @@
                 ctx->stage = ZSTDds_decompressBlock;
             }
 
-            ctx->previousDstEnd = dst;
             return 0;
         }
     case 3: