fix Add missing bounds checks during compression

backport-zstd-1.5.0-patch-13-fix-Add-missing-bounds-checks-during-compression.patch

@@ -0,0 +1,53 @@
+From 05b6773fbcce1075edbe498a821f9a41249cf384 Mon Sep 17 00:00:00 2001
+From: Nick Terrell <terrelln@fb.com>
+Date: Mon, 14 Jun 2021 11:25:55 -0700
+Subject: [PATCH 0759/1000] [fix] Add missing bounds checks during compression
+
+* The block splitter missed a bounds check, so when the buffer is too small it
+  passes an erroneously large size to `ZSTD_entropyCompressSeqStore()`, which
+  can then write the compressed data past the end of the buffer. This is a new
+  regression in v1.5.0 when the block splitter is enabled. It is either enabled
+  explicitly, or implicitly when using the optimal parser and `ZSTD_compress2()`
+  or `ZSTD_compressStream*()`.
+* `HUF_writeCTable_wksp()` omits a bounds check when calling
+  `HUF_compressWeights()`. If it is called with `dstCapacity == 0` it will pass
+  an erroneously large size to `HUF_compressWeights()`, which can then write
+  past the end of the buffer. This bug has been present for ages. However, I
+  believe that zstd cannot trigger the bug, because it never calls
+  `HUF_compress*()` with `dstCapacity == 0` because of [this check][1].
+
+Credit to: Oss-Fuzz
+
+[1]: https://github.com/facebook/zstd/blob/89127e5ee2f3c1e141668fa6d4ee91245f05d132/lib/compress/zstd_compress_literals.c#L100
+---
+ lib/compress/huf_compress.c  | 1 +
+ lib/compress/zstd_compress.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/lib/compress/huf_compress.c b/lib/compress/huf_compress.c
+index 485906e6..e9cb0bd5 100644
+--- a/lib/compress/huf_compress.c
++++ b/lib/compress/huf_compress.c
+@@ -133,6 +133,7 @@ size_t HUF_writeCTable_wksp(void* dst, size_t maxDstSize,
+         wksp->huffWeight[n] = wksp->bitsToWeight[CTable[n].nbBits];
+ 
+     /* attempt weights compression by FSE */
++    if (maxDstSize < 1) return ERROR(dstSize_tooSmall);
+     {   CHECK_V_F(hSize, HUF_compressWeights(op+1, maxDstSize-1, wksp->huffWeight, maxSymbolValue, &wksp->wksp, sizeof(wksp->wksp)) );
+         if ((hSize>1) & (hSize < maxSymbolValue/2)) {   /* FSE compressed */
+             op[0] = (BYTE)hSize;
+diff --git a/lib/compress/zstd_compress.c b/lib/compress/zstd_compress.c
+index 70f16935..9e814e31 100644
+--- a/lib/compress/zstd_compress.c
++++ b/lib/compress/zstd_compress.c
+@@ -3486,6 +3486,7 @@ static size_t ZSTD_compressSeqStore_singleBlock(ZSTD_CCtx* zc, seqStore_t* const
+     if (isPartition)
+         ZSTD_seqStore_resolveOffCodes(dRep, cRep, seqStore, (U32)(seqStore->sequences - seqStore->sequencesStart));
+ 
++    RETURN_ERROR_IF(dstCapacity < ZSTD_blockHeaderSize, dstSize_tooSmall, "Block header doesn't fit");
+     cSeqsSize = ZSTD_entropyCompressSeqStore(seqStore,
+                 &zc->blockState.prevCBlock->entropy, &zc->blockState.nextCBlock->entropy,
+                 &zc->appliedParams,
+-- 
+2.23.0
+

zstd.spec

@@ -2,7 +2,7 @@
 
 Name:            zstd
 Version:         1.5.0
-Release:	 15
+Release:	 16
 Summary:         A fast lossless compression algorithm
 License:         BSD and GPLv2
 URL:             https://github.com/facebook/zstd
@@ -20,6 +20,7 @@ Patch9:          patch-9-add-test-c-result-print.patch
 Patch10:         backport-zstd-1.5.0-patch-10-fix-entropy-repeat-mode-bug.patch
 Patch11:         backport-zstd-1.5.0-patch-11-Fix-progress-flag-to-properly-control-progress-display-and-default.patch
 Patch12:         backport-zstd-1.5.0-patch-12-Z_PREFIX-zError-function.patch
+Patch13:         backport-zstd-1.5.0-patch-13-fix-Add-missing-bounds-checks-during-compression.patch
 
 BuildRequires:   gtest-devel gcc-c++ pkg-config
 
@@ -98,6 +99,9 @@ install -D -m644 programs/zstd.1 %{buildroot}%{_mandir}/man1/pzstd.1
 %{_mandir}/man1/*.1*
 
 %changelog
+* Tue Dec 14 2021 zhangxiao <zhangxiao131@huawei.com> - 1.5.0.16
+* fix Add missing bounds checks during compression
+
 * Tue Dec 14 2021 zhangxiao <zhangxiao131@huawei.com> - 1.5.0.15
 * Z_PREFIX zError function