-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZSTD_compressBound can silently overflow #3323
Comments
Hi @nigeltao , Thanks for your report. You are right, the macro can be made to overflow. It's not going to result in safety issues though. It might be useful to distinguish the macro The function is a bit more interesting. It's expected to be used in combination with Still, it's a good point for API completeness to describe what happens in case of overflow. To answer your last paragraph, there is no edit : scrap that last paragraph. There is a |
The
size_t ZSTD_compressBound(size_t srcSize)
function is equivalent to theZSTD_COMPRESSBOUND
macro and it can silently overflow, as seen by compiling this program withgcc -m32
:Output (per https://godbolt.org/z/W5febq6x3):
The severity is probably very low, due to the relative unlikeliness of both (1) a 32 bit system and (2) a large (4GB) input. But given that
dstCapacity > ZSTD_compressBound(srcSize)
enables fast paths (that presumably eschew bounds checking), it would make auditing for memory safety easier if the zstd.h header file that declaresZSTD_compressBound
, in its commentary, discuss how that function can 'fail' (due to overflow) and how callers can detect that.A similar point probably applies to
ZSTD_decompressBound
although that returnsunsigned long long
, notsize_t
, so IIUC should not overflow for a 4-ish GB srcSize.The text was updated successfully, but these errors were encountered: