commit cbc5e9dc197e5d673f61fefe34d749fcbe44e276
author Yann Collet <yann.collet.73@gmail.com> Sun Jul 24 18:02:04 2016 +0200
committer Yann Collet <yann.collet.73@gmail.com> Sun Jul 24 18:02:04 2016 +0200
tree b4f00d921c1eebb41fe39885a27e60b7634b8968
parent e5a817a2d81855b07027b7041fdcdc905e43f948

fixes oob read

lib/common/entropy_common.c

diff --git a/lib/common/entropy_common.c b/lib/common/entropy_common.c
index 4b79324..acd9669 100644
--- a/lib/common/entropy_common.c
+++ b/lib/common/entropy_common.c
@@ -93,18 +93,18 @@
         if (previous0) {
             unsigned n0 = charnum;
             while ((bitStream & 0xFFFF) == 0xFFFF) {
-                n0+=24;
+                n0 += 24;
                 if (ip < iend-5) {
-                    ip+=2;
+                    ip += 2;
                     bitStream = MEM_readLE32(ip) >> bitCount;
                 } else {
                     bitStream >>= 16;
-                    bitCount+=16;
+                    bitCount   += 16;
             }   }
             while ((bitStream & 3) == 3) {
-                n0+=3;
-                bitStream>>=2;
-                bitCount+=2;
+                n0 += 3;
+                bitStream >>= 2;
+                bitCount += 2;
             }
             n0 += bitStream & 3;
             bitCount += 2;
@@ -148,6 +148,7 @@
             bitStream = MEM_readLE32(ip) >> (bitCount & 31);
     }   }   /* while ((remaining>1) & (charnum<=*maxSVPtr)) */
     if (remaining != 1) return ERROR(corruption_detected);
+    if (bitCount > 32) return ERROR(corruption_detected);
     *maxSVPtr = charnum-1;
 
     ip += (bitCount+7)>>3;