Project homepage Mailing List  Warmcat.com  API Docs  Github Mirror 
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1746074952, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"ed398fab5674f288c02fa5f9bd17c279", "commit": {"type":"commit", "time": 1657558442, "time_ofs": 60, "oid_tree": { "oid": "f190b4a41c45a757a7afe7a255a184791fff54c4", "alias": []}, "oid":{ "oid": "608688b3088bb10186700a38b459443d649d6325", "alias": []}, "msg": "upng-gzip: fuzz: size temp arrays to worst huff size", "sig_commit": { "git_time": { "time": 1657558442, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1657558279, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }}, "body": "upng-gzip: fuzz: size temp arrays to worst huff size\n\nhttps://oss-fuzz.com/testcase-detail/5964400971874304\n\nThe original upng code this is based on just sizes the temp buffers for 15,\nbut the trees can come in 19, 32, or 288 lengths. Set the buffer sizes for\nthe worst case.\n\nAdd some asserts to help catch any further problems more directly.\n" , "diff": "diff --git a/lib/misc/upng-gzip.c b/lib/misc/upng-gzip.c\nindex 722fa3a..a59998a 100644\n--- a/lib/misc/upng-gzip.c\n+++ b/lib/misc/upng-gzip.c\n@@ -242,19 +242,32 @@ huffman_tree_init(htree_t *tree, huff_t *buffer, uint16_t numcodes,\n static lws_stateful_ret_t\n huffman_tree_create_lengths(htree_t *tree, const unsigned *bitlen)\n {\n-\tunsigned int tree1d[MAX_SYMBOLS], blcount[MAX_BIT_LENGTH],\n-\t\t nextcode[MAX_BIT_LENGTH + 1];\n-\tunsigned int bits, n, i, nodefilled \u003d 0, treepos \u003d 0;\n+\tunsigned int tree1d[NUM_DEFLATE_CODE_SYMBOLS], /* sized to worst */\n+\t\t blcount[NUM_DEFLATE_CODE_SYMBOLS], /* sized to worst */\n+\t\t nextcode[MAX_BIT_LENGTH + 1], bits, n, i,\n+\t\t nodefilled \u003d 0, treepos \u003d 0;\n \n \tmemset(blcount, 0, sizeof(blcount));\n \tmemset(nextcode, 0, sizeof(nextcode));\n \n-\tfor (bits \u003d 0; bits \u003c tree-\u003enumcodes; bits++)\n+\tassert(tree-\u003enumcodes \u003c\u003d LWS_ARRAY_SIZE(blcount));\n+\n+\tfor (bits \u003d 0; bits \u003c tree-\u003enumcodes; bits++) {\n+\t\t/* any counts exceeding our private buffer length are fatal */\n+\t\tif (bitlen[bits] \u003e\u003d LWS_ARRAY_SIZE(blcount))\n+\t\t\treturn LWS_SRET_FATAL + 1;\n+\n \t\tblcount[bitlen[bits]]++;\n+\t}\n+\n+\tassert(tree-\u003emaxbitlen \u0026\u0026 tree-\u003emaxbitlen - 1u \u003c\u003d LWS_ARRAY_SIZE(blcount));\n+\tassert(tree-\u003emaxbitlen - 1u \u003c\u003d LWS_ARRAY_SIZE(nextcode));\n \n \tfor (bits \u003d 1; bits \u003c\u003d (unsigned int)tree-\u003emaxbitlen; bits++)\n \t\tnextcode[bits] \u003d (nextcode[bits - 1] + blcount[bits - 1]) \u003c\u003c 1;\n \n+\tassert(tree-\u003enumcodes \u003c\u003d LWS_ARRAY_SIZE(tree1d));\n+\n \tfor (n \u003d 0; n \u003c tree-\u003enumcodes; n++)\n \t\tif (bitlen[n])\n \t\t\ttree1d[n] \u003d nextcode[bitlen[n]]++;\n","s":{"c":1746074952,"u": 2522}} ],"g": 3375,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}