Buffer overflows on malformed input

[grignaak]

shoco_decompress has buffer overflows in two places when given malformed input.

I would submit a patch but shoco_decompress returns a size_t and I am unsure how you would like to signal the error in the API.

The two places are these:

• if the input ends directly after an 0x00 code
• if the input ends midway through the packed bytes (for example, directly after any byte with the high-bit set that is not itself immediately preceded by the 0x00 code.)

[Ed-von-Schleck]

Hi Michael,

thanks for these infos! I was never really thinking about malformed
input; I probably will need to think of it some more.

I haven't had much time for shoco in the last days, as it's a purely
hobby project, but I hope to find time this week. In the meantime:
Please go ahead and propose something, if you have an idea! I'm not
particularly protective of shoco and am willing to merge any patches, as
long as they solve someones problems (and don't introduce new ones).

So I'm afraid I have to put you off some more, but I promise to look
into it in the next days.

Cheers
Christian

Am Montag, den 16.03.2015, 00:11 -0700 schrieb Michael Deardeuff:

shoco_decompress has buffer overflows in two places when given malformed input.

I would submit a patch but shoco_decompress returns a size_t and I am unsure how you would like to signal the error in the API.

The two places are these:

• if the input ends directly after an 0x00 code
• if the input ends midway through the packed bytes (for example, directly after any byte with the high-bit set that is not itself immediately preceded by the 0x00 code.)

---

Reply to this email directly or view it on GitHub:
#12