fix bounds checking in parsing of gzip header

arvidn · arvidn · commit 17d78d3b8f4a · 2017-10-01T03:33:38.000+02:00
diff --git a/src/gzip.cpp b/src/gzip.cpp
@@ -112,13 +112,13 @@ namespace libtorrent {
 namespace {
 
 	// returns -1 if gzip header is invalid or the header size in bytes
-	int gzip_header(span<char const> const buf)
+	int gzip_header(span<char const> const in)
 	{
 		// The zip header cannot be shorter than 10 bytes
-		if (buf.size() < 10) return -1;
+		if (in.size() < 10) return -1;
 
 		span<unsigned char const> buffer(
-			reinterpret_cast<const unsigned char*>(buf.data()), buf.size());
+			reinterpret_cast<const unsigned char*>(in.data()), in.size());
 
 		// gzip is defined in https://tools.ietf.org/html/rfc1952
 
@@ -150,22 +150,22 @@ namespace {
 
 		if (flags & FNAME)
 		{
-			if (buf.empty()) return -1;
+			if (buffer.empty()) return -1;
 			while (buffer[0] != 0)
 			{
 				buffer = buffer.subspan(1);
-				if (buf.empty()) return -1;
+				if (buffer.empty()) return -1;
 			}
 			buffer = buffer.subspan(1);
 		}
 
 		if (flags & FCOMMENT)
 		{
-			if (buf.empty()) return -1;
+			if (buffer.empty()) return -1;
 			while (buffer[0] != 0)
 			{
 				buffer = buffer.subspan(1);
-				if (buf.empty()) return -1;
+				if (buffer.empty()) return -1;
 			}
 			buffer = buffer.subspan(1);
 		}
@@ -176,7 +176,7 @@ namespace {
 			buffer = buffer.subspan(2);
 		}
 
-		return static_cast<int>(buf.size() - buffer.size());
+		return static_cast<int>(in.size() - buffer.size());
 	}
 	} // anonymous namespace
 
diff --git a/test/invalid1.gz b/test/invalid1.gz
diff --git a/test/test_gzip.cpp b/test/test_gzip.cpp
@@ -74,6 +74,22 @@ TORRENT_TEST(corrupt)
 	TEST_CHECK(ec);
 }
 
+TORRENT_TEST(invalid1)
+{
+	std::vector<char> zipped;
+	error_code ec;
+	load_file(combine_path("..", "invalid1.gz"), zipped, ec, 1000000);
+	if (ec) std::printf("failed to open file: (%d) %s\n", ec.value()
+		, ec.message().c_str());
+	TEST_CHECK(!ec);
+
+	std::vector<char> inflated;
+	inflate_gzip(zipped, inflated, 1000000, ec);
+
+	// we expect this to fail
+	TEST_CHECK(ec);
+}
+
 TORRENT_TEST(empty)
 {
 	std::vector<char> empty;

Original file line number	Diff line number	Diff line change
`@@ -112,13 +112,13 @@ namespace libtorrent {`
`112`	`112`	`namespace {`
`113`	`113`
`114`	`114`	`// returns -1 if gzip header is invalid or the header size in bytes`
`115`		`- int gzip_header(span<char const> const buf)`
	`115`	`+ int gzip_header(span<char const> const in)`
`116`	`116`	`{`
`117`	`117`	`// The zip header cannot be shorter than 10 bytes`
`118`		`- if (buf.size() < 10) return -1;`
	`118`	`+ if (in.size() < 10) return -1;`
`119`	`119`
`120`	`120`	`span<unsigned char const> buffer(`
`121`		`- reinterpret_cast<const unsigned char*>(buf.data()), buf.size());`
	`121`	`+ reinterpret_cast<const unsigned char*>(in.data()), in.size());`
`122`	`122`
`123`	`123`	`// gzip is defined in https://tools.ietf.org/html/rfc1952`
`124`	`124`
`@@ -150,22 +150,22 @@ namespace {`
`150`	`150`
`151`	`151`	`if (flags & FNAME)`
`152`	`152`	`{`
`153`		`- if (buf.empty()) return -1;`
	`153`	`+ if (buffer.empty()) return -1;`
`154`	`154`	`while (buffer[0] != 0)`
`155`	`155`	`{`
`156`	`156`	`buffer = buffer.subspan(1);`
`157`		`- if (buf.empty()) return -1;`
	`157`	`+ if (buffer.empty()) return -1;`
`158`	`158`	`}`
`159`	`159`	`buffer = buffer.subspan(1);`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	`if (flags & FCOMMENT)`
`163`	`163`	`{`
`164`		`- if (buf.empty()) return -1;`
	`164`	`+ if (buffer.empty()) return -1;`
`165`	`165`	`while (buffer[0] != 0)`
`166`	`166`	`{`
`167`	`167`	`buffer = buffer.subspan(1);`
`168`		`- if (buf.empty()) return -1;`
	`168`	`+ if (buffer.empty()) return -1;`
`169`	`169`	`}`
`170`	`170`	`buffer = buffer.subspan(1);`
`171`	`171`	`}`
`@@ -176,7 +176,7 @@ namespace {`
`176`	`176`	`buffer = buffer.subspan(2);`
`177`	`177`	`}`
`178`	`178`
`179`		`- return static_cast<int>(buf.size() - buffer.size());`
	`179`	`+ return static_cast<int>(in.size() - buffer.size());`
`180`	`180`	`}`
`181`	`181`	`} // anonymous namespace`
`182`	`182`