run_len_dist: validate that dist is not 0. Fixes information disclosu…

…re vulnerability in this function. This is not exploitable in practice, because run_len_dist() is not exposes in the public API and is never called with dist=0 from this crate, even given deliberately malformed inputs.
PistonDevelopers · Jun 25, 2018 · 11c73f2c545183b51a10c339267e16fc2dd23d60 · 11c73f2
1 parent 3715c4c
commit 11c73f2c545183b51a10c339267e16fc2dd23d60
Unified Split

Showing with 3 additions and 0 deletions.

+3 −0 src/lib.rs
diff --git a/src/lib.rs b/src/lib.rs
@@ -625,6 +625,9 @@ impl InflateStream {
    fn run_len_dist(&mut self, len: u16, dist: u16) -> Result<Option<u16>, String> {
        debug!("RLE -{}; {} (cap={} len={})", dist, len,
               self.buffer.capacity(), self.buffer.len());
+  
+        if dist < 1 {
+  
+            return Err("invalid run length in stream".to_owned());
+  
+        }
        let buffer_size = self.buffer.capacity() as u16;
        let len = if self.pos < dist {
            // Handle copying from ahead, until we hit the end reading.