xenia-project/xenia
1
0
Fork 0
mirror of https://github.com/xenia-project/xenia.git synced 2025-12-06 07:12:03 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixing potential OOB window write when unpacking chm files

Browse source
This commit is contained in:
npt-1707 2025-04-21 23:21:26 +08:00
parent 3d30b2eec3
commit 02da552981
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
third_party/mspack/lzxd.c vendored
View file

@ -781,6 +781,10 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
case LZX_BLOCKTYPE_UNCOMPRESSED: case LZX_BLOCKTYPE_UNCOMPRESSED:
/* as this_run is limited not to wrap a frame, this also means it /* as this_run is limited not to wrap a frame, this also means it
* won't wrap the window (as the window is a multiple of 32k) */ * won't wrap the window (as the window is a multiple of 32k) */
if (window_posn + this_run > lzx->window_size) {
D(("match ran over window boundary"))
return lzx->error = MSPACK_ERR_DECRUNCH;
}
rundest = &window[window_posn]; rundest = &window[window_posn];
window_posn += this_run; window_posn += this_run;
while (this_run > 0) { while (this_run > 0) {
@ -903,8 +907,10 @@ void lzxd_free(struct lzxd_stream *lzx) {
struct mspack_system *sys; struct mspack_system *sys;
if (lzx) { if (lzx) {
sys = lzx->sys; sys = lzx->sys;
sys->free(lzx->inbuf); if(lzx->inbuf)
sys->free(lzx->window); sys->free(lzx->inbuf);
if(lzx->window)
sys->free(lzx->window);
sys->free(lzx); sys->free(lzx);
} }
} }