Fixes potential out-of-bounds read in decompression#92
Merged
hellobertrand merged 5 commits intomainfrom Feb 13, 2026
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
hellobertrand
force-pushed
the
fix/decompress-lptr-bounds-check
branch
from
68c8bb5 to
e789b77
Compare
hellobertrand
changed the title
hellobertrand
force-pushed
the
fix/decompress-lptr-bounds-check
branch
2 times, most recently
from
8ff0854 to
e44243c
Compare
Adds a bounds check for the literal pointer `l_ptr` to prevent out-of-bounds reads. This ensures that the literal data being copied does not exceed the allocated buffer size during decompression, preventing potential crashes or vulnerabilities.
Ensures `l_ptr` does not exceed `l_end` during decompression to prevent potential out-of-bounds reads. This resolves a possible vulnerability and improves the robustness of the decompression process.
Adds a check to ensure that the literal pointer (l_ptr) does not exceed the literal end (l_end) during decompression. This prevents potential out-of-bounds reads in the literal stream within the fast decompression loops (4x-unrolled and 1x). It introduces safe thresholds for l_ptr based on the maximum literal length per sequence, ensuring l_ptr checks are performed only when necessary, minimizing overhead in hot paths.
Ensures that the match length calculation, when extended via varint, does not lead to out-of-bounds writes during decompression.
hellobertrand
force-pushed
the
fix/decompress-lptr-bounds-check
branch
from
b7a3f2f to
cabe15f
Compare
Adds a bounds check for the data pointer to prevent out-of-bounds reads, and fixes the offset calculation for match length tokens to ensure correct decompression.
hellobertrand
force-pushed
the
fix/decompress-lptr-bounds-check
branch
from
1cd8079 to
c6213f8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements mathematically proven zero-overhead bounds checking for literal (
l_ptr) and destination (d_ptr) streams in the ZXC decompression hot paths, achieving memory safety against crafted inputs while maintaining performance competitive with the original unsafe implementation.The previous implementation performed per-sequence bounds checks on every iteration, introducing 2-3% performance regression. This PR eliminates overhead by moving checks to the cold path (varint branches) and using loop guards to amortize checks across batches of sequences.