root icon indicating copy to clipboard operation
root copied to clipboard

Published 20 hours ago verified publisher icon root-project

Lack of size validation in ZSTD compression

Open sponce opened this issue 3 years ago • 1 comments

  • [x] Checked for duplicates

Describe the bug

The size validation is missing in https://github.com/root-project/root/blob/master/core/zstd/src/ZipZSTD.cxx line 47. This leads to invalid stream in case of sizes between 0x1000000 and 0xffffffff as only the 3 last bytes of the length are put in the encoded data.

Expected behavior

The size should be checked as done in https://github.com/root-project/root/blob/master/core/lzma/src/ZipLZMA.c line 40 to 42

To Reproduce

Just try to deflate something of size > 0xffffff

Setup

Additional context

sponce avatar Nov 25 '21 08:11 sponce