default_medium: avoid out-of-bounds read

phmccarty · jtkukunas · commit 33f8f35b83b0 · 2022-04-14T20:11:29.000-04:00
The `match` pointer can be dereferenced outside the `s-&gt;window` buffer, so
add a boundary check to avoid the issue.

The issue was detected with valgrind. For example, running `gzip FILE` with
valgrind on Clear Linux OS for a FILE that reproduces the issue:

  ==1610872== Thread 3:
  ==1610872== Invalid read of size 1
  ==1610872==    at 0x49E9A98: fizzle_matches (deflate_medium.c:150)
  ==1610872==    by 0x49E9A98: deflate_medium (deflate_medium.c:281)
  ==1610872==    by 0x49EC1E7: deflate (deflate.c:1015)
  ==1610872==    by 0x1195D8: UnknownInlinedFun (pigz.c:1602)
  ==1610872==    by 0x1195D8: compress_thread (pigz.c:1752)
  ==1610872==    by 0x11AFD1: ignition (yarn.c:253)
  ==1610872==    by 0x49CB50E: start_thread (pthread_create.c:481)
  ==1610872==    by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so)
  ==1610872==  Address 0x4c6369f is 1 bytes before a block of size 65,552 alloc'd
  ==1610872==    at 0x48447DA: malloc (vg_replace_malloc.c:380)
  ==1610872==    by 0x49EAB4C: deflateInit2_ (deflate.c:319)
  ==1610872==    by 0x11933D: compress_thread (pigz.c:1637)
  ==1610872==    by 0x11AFD1: ignition (yarn.c:253)
  ==1610872==    by 0x49CB50E: start_thread (pthread_create.c:481)
  ==1610872==    by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so)

The out-of-bounds check for `orig` has been added for completeness.
diff --git a/deflate_medium.c b/deflate_medium.c
@@ -164,6 +164,10 @@ static void fizzle_matches(deflate_state *s, struct match *current, struct match
         match--;
         orig--;
         changed ++;
+
+        /* Make sure to avoid an out-of-bounds read on the next iteration */
+        if (match < s->window || orig < s->window)
+                break;
     }
 
     if (!changed)
