LibCompress: Avoid buffer overrun when building canonical Huffman code

Previously, decompressing a DEFLATE stream an invalid canonical Huffman code could cause a buffer overrun. We now return an error in this case.
2025-07-26 17:47:44 +00:00 · 2023-10-09 17:54:49 +01:00 · 2023-10-09 17:54:49 +01:00 · 2f26a7bb12
commit 2f26a7bb12
parent bc6638682d
2 changed files with 10 additions and 0 deletions
--- a/Userland/Libraries/LibCompress/Deflate.cpp
+++ b/Userland/Libraries/LibCompress/Deflate.cpp
@ -100,6 +100,9 @@ ErrorOr<CanonicalCode> CanonicalCode::from_bytes(ReadonlyBytes bytes)
                return Error::from_string_literal("Failed to decode code lengths");

            if (code_length <= CanonicalCode::max_allowed_prefixed_code_length) {
+                if (number_of_prefix_codes >= prefix_codes.size())
+                    return Error::from_string_literal("Invalid canonical Huffman code");
+
                auto& prefix_code = prefix_codes[number_of_prefix_codes++];
                prefix_code.symbol_code = next_code;
                prefix_code.symbol_value = symbol;