NULL pointer dereference in BIT_reloadDStream()

Question

NULL pointer dereference in BIT_reloadDStream()

JohanKnutzen opened this issue 6 years ago · comments

Crashing line:
430: bitD->bitContainer = MEM_readLEST(bitD->ptr);
in bitstream.h in the function BIT_reloadDStream()
triggered by FSE_decompressU16() with the following code:

const uint8_t* casted2 = (uint8_t*)"Àâ(¢x(Kùÿÿcb¿\a";
uint16_t out[256];
size_t ret = FSE_decompressU16(out, 256, casted2, 14);

This is caused by
size_t const NSize = FSE_readNCount (NCount, &maxSymbolValue, &tableLog, istart, cSrcSize);
returning zero in the following block of FSE_decompressU16():

{ size_t const NSize = FSE_readNCount (NCount, &maxSymbolValue, &tableLog, istart, cSrcSize);
if (FSE_isError(NSize)) return NSize;
ip += NSize;
cSrcSize -= NSize;
}
thus, resulting in a zero cSrcSize when entering FSE_decompressU16_usingDTable() which is unexpected

I don't know if this can happen in the 8 bit version.

Yann Collet commented 3 years ago

Yes

Johan Knutzen · Answer 1 · Thu Aug 20 2020 04:46:26 GMT+0800 (China Standard Time)

Is this fixed in dev? I can test this one as well if it is believed to be fixed

Yann Collet · Answer 2 · Wed Sep 16 2020 03:19:08 GMT+0800 (China Standard Time)

There have been a number of changes in fse since 2019,
but I'm not sure if one of them addresses this concern.
FSE_readNCount was updated in zstd, and maybe it fixed this issue.
Note though that not all updates are sync into fse repository yet :
we do have difficulties to keep both repositories automatically synchronized, for complex path & namespace reasons,
so it always requires some manual work to do that.

Johan Knutzen · Answer 3 · Wed Mar 17 2021 09:02:26 GMT+0800 (China Standard Time)

@Cyan4973 Sorry for the late reply. I just updated to the latest version of fse (dev branch) and it still crashes. The repro is still

const uint8_t* casted2 = (uint8_t*)"Àâ(¢x(Kùÿÿcb¿\a";
uint16_t out[256];
size_t ret = FSE_decompressU16(out, 256, casted2, 14);

I have a more complex repro that involves FSE_compressU16 if you'd like me to provide it.

Johan Knutzen · Answer 4 · Fri Aug 06 2021 02:04:41 GMT+0800 (China Standard Time)

@Cyan4973 Bump!

Yann Collet · Answer 5 · Fri Aug 06 2021 02:37:00 GMT+0800 (China Standard Time)

I'm sorry,
there is currently no availability left to continue maintaining FSE as a separate library.

There is ongoing work on FSE, but as part of zstd, and these code bases are now diverging.
And for example, the FSE_compressU16() variant is not used there, so is not supported.

The situation could be different in some future,
but in the foreseeable future, I'm afraid I can't offer the time for it.

Johan Knutzen · Answer 6 · Fri Aug 06 2021 02:39:43 GMT+0800 (China Standard Time)

Alright, thanks @Cyan4973

If I find a fix for this, can I do a PR on this repo?