igzip: Fix inflate bug with long when invalid huffman codes.

Change-Id: I52bfed0afa208462ed4a8614dd46cda5a5dc968d Signed-off-by: Roy Oursler <roy.j.oursler@intel.com>
2016-11-21 15:37:01 -07:00 · 2016-11-21 15:37:01 -07:00 · dfa4fd0940
commit dfa4fd0940
parent 3bc0efa6c2
3 changed files with 28 additions and 1 deletions
--- a/igzip/igzip_decode_block_stateless.asm
+++ b/igzip/igzip_decode_block_stateless.asm
@ -281,6 +281,7 @@ stack_size		equ	3 * 8 + 8 * 8
 	;; Save length associated with symbol
 	mov	rcx, %%next_sym
 	shr	rcx, 9
+	jz	invalid_symbol
 	and	%%next_sym, 0x1FF
 %%end:
 	;; Updated read_in to reflect the bits which were decoded
@ -332,7 +333,9 @@ stack_size		equ	3 * 8 + 8 * 8
 	;; Save length associated with symbol
 	mov	rcx, %%next_sym
 	shr	rcx, 9
+	jz	invalid_symbol
 	and	%%next_sym, 0x1FF
+
 %%end:
 	;; Updated read_in to reflect the bits which were decoded
 	SHRX	%%read_in, %%read_in, rcx
--- a/igzip/igzip_inflate.c
+++ b/igzip/igzip_inflate.c
@ -275,6 +275,9 @@ static void inline make_inflate_huff_code_large(struct inflate_huff_code_large *
 			}
 		}

+		memset(&result->long_code_lookup[long_code_lookup_length], 0x00,
+		       2 * (1 << (max_length - ISAL_DECODE_LONG_BITS)));
+
 		for (j = 0; j < temp_code_length; j++) {
 			code_length = huff_code_table[temp_code_list[j]].length;
 			long_bits =
@ -429,6 +432,9 @@ static void inline make_inflate_huff_code_small(struct inflate_huff_code_small *
 			}
 		}

+		memset(&result->long_code_lookup[long_code_lookup_length], 0x00,
+		       2 * (1 << (max_length - ISAL_DECODE_SHORT_BITS)));
+
 		for (j = 0; j < temp_code_length; j++) {
 			code_length = huff_code_table[temp_code_list[j]].length;
 			long_bits =
@ -543,6 +549,10 @@ static uint16_t inline decode_next_large(struct inflate_state *state,
 		bit_count = next_sym >> 9;
 		state->read_in >>= bit_count;
 		state->read_in_length -= bit_count;
+
+		if (bit_count == 0)
+			next_sym = 0x1FF;
+
 		return next_sym & 0x1FF;

 	}
--- a/igzip/inflate_std_vects.h
+++ b/igzip/inflate_std_vects.h
@ -1380,6 +1380,19 @@ uint8_t std_vect_149[] = {
 	0xff
 };

+uint8_t std_vect_150[] = {
+	0x1c ,0xe5 ,0x03 ,0x97 ,0x00 ,0x80 ,0xff ,0xff,
+	0xa5 ,0xa5 ,0xa5 ,0xa5 ,0xa5 ,0xa5 ,0xa5 ,0x10,
+	0xf3 ,0x1d ,0x1d ,0x09 ,0x1d ,0x09 ,0xa5 ,0x00,
+	0x00 ,0x08 ,0xa5 ,0x30 ,0x11 ,0x11 ,0x11 ,0xa5,
+	0xa5 ,0xa5 ,0xa5 ,0xa5 ,0x80 ,0xa8 ,0x7a ,0x11,
+	0x11 ,0x09 ,0x01 ,0x09 ,0x1d ,0x1d ,0x09 ,0x05,
+	0x1d ,0xa7 ,0x11 ,0x11 ,0x11 ,0x11 ,0x6d ,0x10,
+	0x6d ,0x6d ,0xa5 ,0xa5 ,0x30 ,0x30 ,0x30 ,0x30,
+	0x30 ,0x30 ,0x30 ,0x30 ,0x30 ,0x30 ,0x30 ,0x30,
+	0x30 ,0x30
+};
+
 struct vect_result {
 	uint8_t *vector;
 	int vector_length;
@ -1536,5 +1549,6 @@ struct vect_result std_vect_array[] = {
 	{std_vect_146, sizeof(std_vect_146), ISAL_INVALID_BLOCK},
 	{std_vect_147, sizeof(std_vect_147), ISAL_INVALID_BLOCK},
 	{std_vect_148, sizeof(std_vect_148), ISAL_INVALID_BLOCK},
-	{std_vect_149, sizeof(std_vect_149), ISAL_INVALID_BLOCK}
+	{std_vect_149, sizeof(std_vect_149), ISAL_INVALID_BLOCK},
+	{std_vect_150, sizeof(std_vect_150), ISAL_INVALID_SYMBOL}
 };