Fix Brotli output buffer size validation

trufae · trufae · commit f67eafb96f9b · 2026-03-06T13:24:21.000+01:00
diff --git a/src/lib/brotli.inc.c b/src/lib/brotli.inc.c
@@ -39,7 +39,8 @@ static uint32_t my_crc32(const uint8_t *data, size_t len, uint32_t crc) {
 }
 
 static size_t simple_compress(const uint8_t *input, size_t input_len, uint8_t *output, size_t output_len) {
-	if (output_len < input_len + 8) {
+	const size_t header_size = 5 + 8 + 4;
+	if (output_len < header_size || input_len > output_len - header_size) {
 		return 0;
 	}
 	memcpy (output, "BROT", 4);
@@ -54,7 +55,7 @@ static size_t simple_compress(const uint8_t *input, size_t input_len, uint8_t *o
 }
 
 static size_t simple_decompress(const uint8_t *input, size_t input_len, uint8_t *output, size_t output_len) {
-	if (input_len < 5 + sizeof (size_t) + sizeof (uint32_t)) {
+	if (input_len < 5 + 8 + 4) {
 		return 0;
 	}
 	if (memcmp (input, "BROT", 4) != 0) {
@@ -69,7 +70,7 @@ static size_t simple_decompress(const uint8_t *input, size_t input_len, uint8_t
 		return 0;
 	}
 	uint32_t stored_crc = otezip_read_le32 (input + 5 + 8);
-	const uint8_t *data = input + 5 + sizeof (size_t) + sizeof (uint32_t);
+	const uint8_t *data = input + 5 + 8 + 4;
 	uint32_t computed_crc = my_crc32 (data, stored_len, 0);
 	if (stored_crc != computed_crc) {
 		return 0;

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,8 @@ static uint32_t my_crc32(const uint8_t *data, size_t len, uint32_t crc) {`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`static size_t simple_compress(const uint8_t input, size_t input_len, uint8_t output, size_t output_len) {`
`42`		`- if (output_len < input_len + 8) {`
	`42`	`+ const size_t header_size = 5 + 8 + 4;`
	`43`	`+ if (output_len < header_size \|\| input_len > output_len - header_size) {`
`43`	`44`	`return 0;`
`44`	`45`	`}`
`45`	`46`	`memcpy (output, "BROT", 4);`
`@@ -54,7 +55,7 @@ static size_t simple_compress(const uint8_t input, size_t input_len, uint8_t o`
`54`	`55`	`}`
`55`	`56`
`56`	`57`	`static size_t simple_decompress(const uint8_t input, size_t input_len, uint8_t output, size_t output_len) {`
`57`		`- if (input_len < 5 + sizeof (size_t) + sizeof (uint32_t)) {`
	`58`	`+ if (input_len < 5 + 8 + 4) {`
`58`	`59`	`return 0;`
`59`	`60`	`}`
`60`	`61`	`if (memcmp (input, "BROT", 4) != 0) {`
`@@ -69,7 +70,7 @@ static size_t simple_decompress(const uint8_t *input, size_t input_len, uint8_t`
`69`	`70`	`return 0;`
`70`	`71`	`}`
`71`	`72`	`uint32_t stored_crc = otezip_read_le32 (input + 5 + 8);`
`72`		`- const uint8_t *data = input + 5 + sizeof (size_t) + sizeof (uint32_t);`
	`73`	`+ const uint8_t *data = input + 5 + 8 + 4;`
`73`	`74`	`uint32_t computed_crc = my_crc32 (data, stored_len, 0);`
`74`	`75`	`if (stored_crc != computed_crc) {`
`75`	`76`	`return 0;`