[zlib] Avoid wide writes to dst in crc_fold_copy when len < 16

When copying directly to next_out, as is done in deflate_stored, there may not be enough space in the buffer. Fix by jmaaninen, test by me. Bug: 325990053 Change-Id: Ia28d3fac9c2db3f27a23a5fbde399cad323ef40d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5307227 Commit-Queue: Adenilson Cavalcanti <cavalcantii@chromium.org> Reviewed-by: Adenilson Cavalcanti <cavalcantii@chromium.org> Cr-Commit-Position: refs/heads/main@{#1263750} NOKEYCHECK=True GitOrigin-RevId: 67c52873de10c06808c0de985a1e3cb8c3456d7a
author: Hans Wennborg <hans@chromium.org> 2024-02-22 02:19:19 +0000
committer: Copybara-Service <copybara-worker@google.com> 2024-02-21 18:30:17 -0800
commit: 03c356e4c106e4e6850edaae29be45290a2cb36c (patch)
tree: 0cf5e1ec9e1ccddade8aca839d00689457067379
parent: 4b5807f344182fd392849b820642457212618e5f (diff)
download: zlib-03c356e4c106e4e6850edaae29be45290a2cb36c.tar.gz
3 files changed, 27 insertions, 2 deletions
diff --git a/contrib/tests/utils_unittest.cc b/contrib/tests/utils_unittest.cc
index 4a80277..3d6672d 100644
--- a/contrib/tests/utils_unittest.cc
+++ b/contrib/tests/utils_unittest.cc
@@ -1080,6 +1080,31 @@ TEST(ZlibTest, DeflateCopy) {
       0);
 }
 
+TEST(ZlibTest, GzipStored) {
+  // Check that deflating uncompressed blocks with a gzip header doesn't write
+  // out of bounds (crbug.com/325990053).
+  z_stream stream;
+  stream.zalloc = Z_NULL;
+  stream.zfree = Z_NULL;
+  static const int kGzipWrapper = 16;
+  int ret = deflateInit2(&stream, Z_NO_COMPRESSION, Z_DEFLATED,
+                         9 + kGzipWrapper, 9, Z_DEFAULT_STRATEGY);
+  ASSERT_EQ(ret, Z_OK);
+
+  const std::vector<uint8_t> src(512 * 1024);
+  stream.next_in = (unsigned char*)src.data();
+  stream.avail_in = src.size();
+
+  std::vector<uint8_t> out(1000);
+  stream.next_out = (unsigned char*)out.data();
+  stream.avail_out = out.size();
+
+  ret = deflate(&stream, Z_NO_FLUSH);
+  ASSERT_EQ(ret, Z_OK);
+
+  deflateEnd(&stream);
+}
+
 // TODO(gustavoa): make these tests run standalone.
 #ifndef CMAKE_STANDALONE_UNITTESTS
 
diff --git a/crc_folding.c b/crc_folding.c
index 1b4f4e1..1d54ee8 100644
--- a/crc_folding.c
+++ b/crc_folding.c
@@ -403,7 +403,7 @@ partial:
     }
 #endif
 
-    _mm_storeu_si128((__m128i *)dst, xmm_crc_part);
+    zmemcpy(dst, src, len);  /* TODO: Possibly generate more efficient code. */
     partial_fold(s, len, &xmm_crc0, &xmm_crc1, &xmm_crc2, &xmm_crc3,
         &xmm_crc_part);
 done:
diff --git a/patches/0001-simd.patch b/patches/0001-simd.patch
index 9434ca0..dccf505 100644
--- a/patches/0001-simd.patch
+++ b/patches/0001-simd.patch
@@ -449,7 +449,7 @@ index 000000000000..48d77744aaf4
 +    }
 +#endif
 +
-+    _mm_storeu_si128((__m128i *)dst, xmm_crc_part);
++    zmemcpy(dst, src, len);  /* TODO: Possibly generate more efficient code. */
 +    partial_fold(s, len, &xmm_crc0, &xmm_crc1, &xmm_crc2, &xmm_crc3,
 +        &xmm_crc_part);
 +done:
author	Hans Wennborg <hans@chromium.org>	2024-02-22 02:19:19 +0000
committer	Copybara-Service <copybara-worker@google.com>	2024-02-21 18:30:17 -0800
commit	03c356e4c106e4e6850edaae29be45290a2cb36c (patch)
tree	0cf5e1ec9e1ccddade8aca839d00689457067379
parent	4b5807f344182fd392849b820642457212618e5f (diff)
download	zlib-03c356e4c106e4e6850edaae29be45290a2cb36c.tar.gz