zstd: Detect extra block data and report as corrupted (#520)

* zstd: Detect extra block data and report as corrupted * Remove confirmed bad files from decoder corpus. When no sequences, there should not be any more data on the block.
klauspost · Mar 9, 2022 · 531d692 · 531d692
1 parent 0ff8ec1
commit 531d692
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 0 deletions.
diff --git a/zstd/blockdec.go b/zstd/blockdec.go
@@ -517,6 +517,10 @@ func (b *blockDec) prepareSequences(in []byte, hist *history) (err error) {
 		nSeqs = 0x7f00 + int(in[1]) + (int(in[2]) << 8)
 		in = in[3:]
 	}
+	if nSeqs == 0 && len(in) != 0 {
+		// When no sequences, there should not be any more data...
+		return ErrUnexpectedBlockSize
+	}
 
 	var seqs = &hist.decoders
 	seqs.nSeqs = nSeqs

diff --git a/zstd/decoder_test.go b/zstd/decoder_test.go
@@ -1610,6 +1610,7 @@ func testDecoderDecodeAllError(t *testing.T, fn string, dec *Decoder, errMap map
 				t.Error("Did not get expected error, got", len(got), "bytes")
 				return
 			}
+			t.Log(err)
 			if errMap[tt.Name] == "" {
 				t.Error("cannot check error")
 			} else {

diff --git a/zstd/testdata/bad.zip b/zstd/testdata/bad.zip
diff --git a/zstd/testdata/decoder.zip b/zstd/testdata/decoder.zip
diff --git a/zstd/zstd.go b/zstd/zstd.go
@@ -52,6 +52,10 @@ var (
 	// Typically returned on invalid input.
 	ErrBlockTooSmall = errors.New("block too small")
 
+	// ErrUnexpectedBlockSize is returned when a block has unexpected size.
+	// Typically returned on invalid input.
+	ErrUnexpectedBlockSize = errors.New("unexpected block size")
+
 	// ErrMagicMismatch is returned when a "magic" number isn't what is expected.
 	// Typically this indicates wrong or corrupted input.
 	ErrMagicMismatch = errors.New("invalid input: magic number mismatch")