internal/zstd: fix regeneratedSize too small to cause panic

regeneratedSize that is too small will result in index out-of-bounds behaviour for expanded output slices. regeneratedSize should be greater than or equal to 6 Fixes: golang#63824
aimuz · Nov 6, 2023 · cba040b · cba040b
1 parent 4cd201b
commit cba040b
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/src/internal/zstd/fuzz_test.go b/src/internal/zstd/fuzz_test.go
@@ -22,6 +22,8 @@ var badStrings = []string{
 	"(\xb5/\xfd\x1002000$\x05\x0010\xcc0\xa8100000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
 	"(\xb5/\xfd\x1002000$\x05\x0000\xcc0\xa8100d\x0000001000000000000000000000000000000000000000000000000000000000000000000000000\x000000000000000000000000000000000000000000000000000000000000000000000000000000",
 	"(\xb5/\xfd001\x00\x0000000000000000000",
+	"(\xb5/\xfd00\xec\x00\x00&@\x05\x05A7002\x02\x00\x02\x00\x02\x0000000000000000",
+	"(\xb5/\xfd00\xec\x00\x00V@\x05\x0517002\x02\x00\x02\x00\x02\x0000000000000000",
 }
 
 // This is a simple fuzzer to see if the decompressor panics.

diff --git a/src/internal/zstd/literals.go b/src/internal/zstd/literals.go
@@ -214,6 +214,9 @@ func (r *Reader) readLiteralsFourStreams(data block, off, totalStreamsSize, rege
 	if totalStreamsSize < 6 {
 		return nil, r.makeError(off, "total streams size too small for jump table")
 	}
+	if regeneratedSize < 6 {
+		return nil, r.makeError(off, "regenerated size too small for jump table")
+	}
 
 	streamSize1 := binary.LittleEndian.Uint16(data[off:])
 	streamSize2 := binary.LittleEndian.Uint16(data[off+2:])