Don't read past end of scratch buffer (#26)

When the incoming input buffer is short, we must make sure that we properly set inputLimitMinMaxTagLength to prevent buffer overruns. Otherwise we'll read past the end of the buffer. Close #25
brantburnett · Nov 3, 2020 · 6876d6e · 6876d6e
1 parent c9ddcf0
commit 6876d6e
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 2 deletions.
diff --git a/Snappier.Tests/Internal/SnappyDecompressorTests.cs b/Snappier.Tests/Internal/SnappyDecompressorTests.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using Snappier.Internal;
+using Xunit;
+
+namespace Snappier.Tests.Internal
+{
+    public class SnappyDecompressorTests
+    {
+        #region DecompressAllTags
+
+        [Fact]
+        public void DecompressAllTags_ShortInputBufferWhichCopiesToScratch_DoesNotReadPastEndOfScratch()
+        {
+            // Arrange
+
+            var decompressor = new SnappyDecompressor();
+            decompressor.SetExpectedLengthForTest(1024);
+
+            decompressor.WriteToBufferForTest(Enumerable.Range(0, 255).Select(p => (byte) p).ToArray());
+
+            // if in error, decompressor will read the 222, 0, 0 as the next tag and throw a copy offset exception
+            decompressor.LoadScratchForTest(new byte[] { 222, 222, 222, 222, 0, 0 }, 0);
+
+            // Act
+
+            decompressor.DecompressAllTags(new byte[] { 150, 255, 0 });
+        }
+
+        #endregion
+    }
+}
diff --git a/Snappier/Internal/SnappyDecompressor.cs b/Snappier/Internal/SnappyDecompressor.cs
@@ -8,7 +8,7 @@ namespace Snappier.Internal
 {
     internal sealed class SnappyDecompressor : IDisposable
     {
-        private readonly byte[] _scratch = new byte[Constants.MaximumTagLength];
+        private byte[] _scratch = new byte[Constants.MaximumTagLength];
         private int _scratchLength = 0;
 
         private int _remainingLiteral;
@@ -176,7 +176,7 @@ public static int ReadUncompressedLength(ReadOnlySpan<byte> input)
             return result;
         }
 
-        private unsafe void DecompressAllTags(ReadOnlySpan<byte> inputSpan)
+        internal unsafe void DecompressAllTags(ReadOnlySpan<byte> inputSpan)
         {
             // Put Constants.CharTable on the stack to simplify lookups within the loops below
             ReadOnlySpan<ushort> charTable = Constants.CharTable.AsSpan();
@@ -278,6 +278,9 @@ private unsafe void DecompressAllTags(ReadOnlySpan<byte> inputSpan)
                                     {
                                         goto exit;
                                     }
+
+                                    inputLimitMinMaxTagLength = inputEnd - Math.Min(inputEnd - input,
+                                       Constants.MaximumTagLength - 1);
                                 }
 
                                 uint preload = Helpers.UnsafeReadUInt32(input);
@@ -604,6 +607,36 @@ public int Read(Span<byte> destination)
 
         #endregion
 
+        #region Test Helpers
+
+        /// <summary>
+        /// Load some data into the output buffer, only used for testing.
+        /// </summary>
+        /// <param name="toWrite"></param>
+        internal void WriteToBufferForTest(ReadOnlySpan<byte> toWrite)
+        {
+            Append(toWrite);
+        }
+
+        /// <summary>
+        /// Load a byte array into _scratch, only used for testing.
+        /// </summary>
+        internal void LoadScratchForTest(byte[] newScratch, int newScratchLength)
+        {
+            _scratch = newScratch ?? throw new ArgumentNullException(nameof(newScratch));
+            _scratchLength = newScratchLength;
+        }
+
+        /// <summary>
+        /// Only used for testing.
+        /// </summary>
+        internal void SetExpectedLengthForTest(int expectedLength)
+        {
+            ExpectedLength = expectedLength;
+        }
+
+        #endregion
+
         public void Dispose()
         {
             _lookbackBufferOwner?.Dispose();