fix(xcrush): off-by-one in forward match loop causes panic during compression#1293
Merged
Benoît Cortier (CBenoit) merged 3 commits intoMay 21, 2026
Merged
Conversation
Agent-Logs-Url: https://github.com/Devolutions/IronRDP/sessions/c3abde25-6e93-4724-8a4e-203d22e44b1b Co-authored-by: CBenoit <3809077+CBenoit@users.noreply.github.com>
…ress panic Agent-Logs-Url: https://github.com/Devolutions/IronRDP/sessions/c3abde25-6e93-4724-8a4e-203d22e44b1b Co-authored-by: CBenoit <3809077+CBenoit@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix failing GitHub Actions job Fuzzing bulk_round_trip
fix(xcrush): off-by-one in forward match loop causes panic during compression
May 20, 2026
Contributor
|
Neat. |
Vladyslav Nikonov (vnikonov-devolutions)
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The XCRUSH
find_match_lengthforward loop usedfm > buf_endinstead offm >= buf_end, allowing it to read one byte past the current block boundary (buf[history_offset + src_size]). This inflatedmatch_lengthbeyond the block, causingcurrent_offset > self.history_offsetingenerate_output, and an integer underflow panic at:LibFuzzer reports this as a crash (exit status 77). The fuzzer corpus input that triggers it is 131 bytes with
algo_byte & 0x03 == 3(Rdp61/XCRUSH) and sufficient repeated-byte content to produce within-block chunk matches on the first call.Changes
xcrush/mod.rs—find_match_length: Change termination conditionfm > buf_end→fm >= buf_endso forward matching stops at the block boundary.xcrush/mod.rs—generate_output: Adddebug_assert!+ defensiveErrreturn before the subtraction as belt-and-suspenders protection against future regressions in match generation.test_data/fuzz_regression/bulk_round_trip/socheck_bulk_round_tripcatches any recurrence.