Skip to content

Validate LZ41 footer fields before decompression#399

Merged
Shivansps merged 1 commit into
KnossosNET:mainfrom
Goober5000:fix/h4h5
May 9, 2026
Merged

Validate LZ41 footer fields before decompression#399
Shivansps merged 1 commit into
KnossosNET:mainfrom
Goober5000:fix/h4h5

Conversation

@Goober5000

Copy link
Copy Markdown
Contributor

The decompressor read numOffsets, blockSize, and uncompressedSize from the compressed file footer with no validation, allowing a crafted LZ41 file to cause an OOM crash (numOffsets set to INT_MAX allocates ~8 GB), a DivideByZeroException (blockSize = 0), or an IndexOutOfRangeException (numOffsets smaller than the number of blocks the data requires).

Adds four guards in LZ41_Stream_Decompress:

  • numOffsets must be > 0 and fit within the file (prevents OOM and integer overflow in the offset table seek calculation)
  • footer-supplied uncompressedSize must be > 0
  • blockSize must be > 0 (prevents divide-by-zero)
  • endBlock must be < numOffsets before the decode loop (prevents the offsets[currentBlock+1] out-of-bounds access on the last iteration)

The decompressor read numOffsets, blockSize, and uncompressedSize from
the compressed file footer with no validation, allowing a crafted LZ41
file to cause an OOM crash (numOffsets set to INT_MAX allocates ~8 GB),
a DivideByZeroException (blockSize = 0), or an IndexOutOfRangeException
(numOffsets smaller than the number of blocks the data requires).

Adds four guards in LZ41_Stream_Decompress:
- numOffsets must be > 0 and fit within the file (prevents OOM and
  integer overflow in the offset table seek calculation)
- footer-supplied uncompressedSize must be > 0
- blockSize must be > 0 (prevents divide-by-zero)
- endBlock must be < numOffsets before the decode loop (prevents the
  offsets[currentBlock+1] out-of-bounds access on the last iteration)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@wookieejedi

Copy link
Copy Markdown
Contributor

Things still work as expected

@Shivansps Shivansps merged commit 123884a into KnossosNET:main May 9, 2026
@Goober5000 Goober5000 deleted the fix/h4h5 branch May 9, 2026 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants