igzip: Fix bug in inflate when exactly one distance is coded

Initialize the lookup table so invalid lookups do not cause segfaults. Change-Id: Ibb88c4c473fa233f8821c35b3e32ff62814c2b15 Signed-off-by: Roy Oursler <[email protected]>
ibmsoe · Dec 6, 2016 · 600d887 · 600d887
1 parent 3d66317
commit 600d887
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/igzip/igzip_fuzz_inflate.c b/igzip/igzip_fuzz_inflate.c
@@ -60,6 +60,8 @@ int main(int argc, char *argv[])
 	fread(in_buf, 1, in_file_size, in);
 
 	/* Inflate data with isal_inflate */
+	memset(state, 0xff, sizeof(struct inflate_state));
+
 	isal_inflate_init(state);
 	state->next_in = in_buf;
 	state->avail_in = in_file_size;

diff --git a/igzip/igzip_inflate.c b/igzip/igzip_inflate.c
@@ -190,6 +190,9 @@ static void inline make_inflate_huff_code_large(struct inflate_huff_code_large *
 	last_length = huff_code_table[code_list[0]].length;
 	copy_size = (1 << last_length);
 
+	/* Initialize short_code_lookup, so invalid lookups process data */
+	memset(short_code_lookup, 0x1d, copy_size * sizeof(*short_code_lookup));
+
 	for (k = 0; k < code_list_len; k++) {
 		i = code_list[k];
 		if (huff_code_table[i].length > ISAL_DECODE_LONG_BITS)
@@ -342,6 +345,9 @@ static void inline make_inflate_huff_code_small(struct inflate_huff_code_small *
 	last_length = huff_code_table[code_list[0]].length;
 	copy_size = (1 << last_length);
 
+	/* Initialize short_code_lookup, so invalid lookups process data */
+	memset(short_code_lookup, 0x1d, copy_size * sizeof(*short_code_lookup));
+
 	for (k = 0; k < code_list_len; k++) {
 		i = code_list[k];
 		if (huff_code_table[i].length > ISAL_DECODE_SHORT_BITS)