fix window match bug

invalid logic caused the wrong bytes to be copied to the current output position
trifectatechfoundation · Jun 10, 2024 · 9b4c25e · 9b4c25e
1 parent 7003875
commit 9b4c25e
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 14 deletions.
diff --git a/libz-rs-sys/src/tests/inflate.rs b/libz-rs-sys/src/tests/inflate.rs
@@ -1527,6 +1527,98 @@ fn issue_109() {
     assert_eq!(output_rs, output_ng);
 }
 
+#[test]
+fn window_match_bug() {
+    // this hit some invalid logic in the inflate `match_` function where invalid bytes were copied
+    // to the current output position.
+    let input = &include_bytes!("test-data/window-match-bug.zraw");
+
+    let window_bits = -10;
+
+    let mut output_rs: Vec<u8> = Vec::with_capacity(1 << 15);
+    let mut output_ng: Vec<u8> = Vec::with_capacity(1 << 15);
+
+    let mut buf = [0; 402];
+
+    {
+        let mut stream = MaybeUninit::<z_stream>::zeroed();
+
+        let err = unsafe {
+            inflateInit2_(
+                stream.as_mut_ptr(),
+                window_bits,
+                zlibVersion(),
+                core::mem::size_of::<z_stream>() as c_int,
+            )
+        };
+        assert_eq!(ReturnCode::from(err), ReturnCode::Ok);
+
+        let stream = unsafe { stream.assume_init_mut() };
+
+        stream.next_in = input.as_ptr() as *mut u8;
+        stream.avail_in = input.len() as _;
+
+        loop {
+            stream.next_out = buf.as_mut_ptr();
+            stream.avail_out = buf.len() as _;
+
+            let err = unsafe { inflate(stream, InflateFlush::Finish as _) };
+
+            output_rs.extend(&buf[..buf.len() - stream.avail_out as usize]);
+
+            match ReturnCode::from(err) {
+                ReturnCode::BufError => {
+                    assert_eq!(stream.avail_out, 0);
+                    stream.avail_out = buf.len() as _;
+                }
+                ReturnCode::StreamEnd => break,
+                other => panic!("unexpected {:?}", other),
+            }
+        }
+    }
+
+    {
+        use libz_sys::*;
+
+        let mut stream = MaybeUninit::<z_stream>::zeroed();
+
+        let err = unsafe {
+            inflateInit2_(
+                stream.as_mut_ptr(),
+                window_bits,
+                zlibVersion(),
+                core::mem::size_of::<z_stream>() as c_int,
+            )
+        };
+        assert_eq!(ReturnCode::from(err), ReturnCode::Ok);
+
+        let stream = unsafe { stream.assume_init_mut() };
+
+        stream.next_in = input.as_ptr() as *mut u8;
+        stream.avail_in = input.len() as _;
+
+        while stream.avail_in != 0 {
+            stream.next_out = buf.as_mut_ptr();
+            stream.avail_out = buf.len() as _;
+
+            let err = unsafe { inflate(stream, InflateFlush::Finish as _) };
+
+            output_ng.extend(&buf[..buf.len() - stream.avail_out as usize]);
+
+            match ReturnCode::from(err) {
+                ReturnCode::BufError => {
+                    assert_eq!(stream.avail_out, 0);
+                    stream.avail_out = buf.len() as _;
+                }
+                ReturnCode::StreamEnd => break,
+                other => panic!("unexpected {:?}", other),
+            }
+        }
+    }
+
+    assert_eq!(output_rs, output_ng);
+}
+
 #[test]
 fn op_len_edge_case() {
     let window_bits = -9;

diff --git a/libz-rs-sys/src/tests/test-data/window-match-bug.zraw b/libz-rs-sys/src/tests/test-data/window-match-bug.zraw
diff --git a/zlib-rs/src/inflate.rs b/zlib-rs/src/inflate.rs
@@ -1242,11 +1242,20 @@ impl<'a> State<'a> {
                 panic!("INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR")
             }
 
-            let slice = self.window.copy(copy);
-            copy = Ord::min(slice.len(), self.length);
+            let wnext = self.window.next();
+            let wsize = self.window.size();
+
+            let from = if copy > wnext {
+                copy -= wnext;
+                wsize - copy
+            } else {
+                wnext - copy
+            };
+
+            copy = Ord::min(copy, self.length);
             copy = Ord::min(copy, left);
 
-            self.writer.extend(&slice[..copy]);
+            self.writer.extend(&self.window.as_slice()[from..][..copy]);
 
             copy
         } else {

diff --git a/zlib-rs/src/inflate/window.rs b/zlib-rs/src/inflate/window.rs
@@ -64,17 +64,6 @@ impl<'a> Window<'a> {
         unsafe { slice_assume_init(&self.buf[..self.have]) }
     }
 
-    pub fn copy(&self, copy: usize) -> &[u8] {
-        let start = if copy > self.next {
-            self.size() - (copy - self.next)
-        } else {
-            self.next - copy
-        };
-
-        // safety: the slice is always from the initialized part of buf
-        unsafe { slice_assume_init(&self.buf[start..self.have]) }
-    }
-
     #[cfg(test)]
     fn extend_adler32(&mut self, slice: &[u8], checksum: &mut u32) {
         self.extend(slice, 0, true, checksum, &mut Crc32Fold::new());