stb_image: Fix zlib decoder end-of-stream handling

We speculatively try to fill our bit buffer to always contain at least 16 bits for stbi__zhuffman_decode. It's not a sign of a malformed stream for us to be reading past the end there, because the contents of that bit buffer are speculative; it's only a malformed stream if we actually _consume_ the extra bits. This fix adds some extra logic where we the first time we hit zeof, we add an explicit 16 extra zero bits at the top of the bit buffer just so that for the purposes of the decoder, we have 16 bits in the buffer. However, if at the end of stream, we have the "hit zeof once" flag set and less than 16 bits remaining in the bit buffer, we know some of those implicit zero bits got read, which indicates we actually had a past-end-of-stream read. In that case, flag it as an error. While I'm in here, also rephrase the length-too-large check to not do any potentially-overflowing pointer arithmetic. Fixes issue #1456.
ago%!(EXTRA string=2 years) · d373674115
parent 03f50e343d
commit d373674115
1 changed files with 23 additions and 3 deletions
--- a/stb_image.h
+++ b/stb_image.h
@ -4176,6 +4176,7 @@ typedef struct
 {
   stbi_uc *zbuffer, *zbuffer_end;
   int num_bits;
+   int hit_zeof_once;
   stbi__uint32 code_buffer;

   char *zout;
@ -4242,9 +4243,20 @@ stbi_inline static int stbi__zhuffman_decode(stbi__zbuf *a, stbi__zhuffman *z)
   int b,s;
   if (a->num_bits < 16) {
      if (stbi__zeof(a)) {
-         return -1;   /* report error for unexpected end of data. */
+         if (!a->hit_zeof_once) {
+            // This is the first time we hit eof, insert 16 extra padding btis
+            // to allow us to keep going; if we actually consume any of them
+            // though, that is invalid data. This is caught later.
+            a->hit_zeof_once = 1;
+            a->num_bits += 16; // add 16 implicit zero bits
+         } else {
+            // We already inserted our extra 16 padding bits and are again
+            // out, this stream is actually prematurely terminated.
+            return -1;
+         }
+      } else {
+         stbi__fill_bits(a);
      }
-      stbi__fill_bits(a);
   }
   b = z->fast[a->code_buffer & STBI__ZFAST_MASK];
   if (b) {
@ -4309,6 +4321,13 @@ static int stbi__parse_huffman_block(stbi__zbuf *a)
         int len,dist;
         if (z == 256) {
            a->zout = zout;
+            if (a->hit_zeof_once && a->num_bits < 16) {
+               // The first time we hit zeof, we inserted 16 extra zero bits into our bit
+               // buffer so the decoder can just do its speculative decoding. But if we
+               // actually consumed any of those bits (which is the case when num_bits < 16),
+               // the stream actually read past the end so it is malformed.
+               return stbi__err("unexpected end","Corrupt PNG");
+            }
            return 1;
         }
         if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data
@ -4320,7 +4339,7 @@ static int stbi__parse_huffman_block(stbi__zbuf *a)
         dist = stbi__zdist_base[z];
         if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]);
         if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG");
-         if (zout + len > a->zout_end) {
+         if (len > a->zout_end - zout) {
            if (!stbi__zexpand(a, zout, len)) return 0;
            zout = a->zout;
         }
@ -4464,6 +4483,7 @@ static int stbi__parse_zlib(stbi__zbuf *a, int parse_header)
      if (!stbi__parse_zlib_header(a)) return 0;
   a->num_bits = 0;
   a->code_buffer = 0;
+   a->hit_zeof_once = 0;
   do {
      final = stbi__zreceive(a,1);
      type = stbi__zreceive(a,2);