[PATCH v1 0/2] erofs-utils: lib: fix ZSTD decompression safety issues
Utkal Singh
singhutkal015 at gmail.com
Tue Mar 17 08:28:45 AEDT 2026
This series fixes two issues in z_erofs_decompress_zstd() that can
be triggered by crafted EROFS filesystem images during extraction
(fsck.erofs) or FUSE mounting (erofsfuse).
Patch 1/2 adds validation for the ZSTD frame content size read from
on-disk compressed data. The frame content size (from the ZSTD frame
header) and the decoded length (from the extent map via
z_erofs_map_blocks_iter()) are independent metadata sources. A crafted
image can set them to inconsistent values, causing the output memcpy
to read beyond the decompressed buffer. The legacy
ZSTD_getDecompressedSize() fallback path is also fixed to reject
zero-sized frames.
Patch 2/2 fixes a missing error return when ZSTD decompression
produces a different number of bytes than expected. Without this,
the positive return value passes the caller's error check and
silently returns corrupted data.
Utkal Singh (2):
erofs-utils: lib: validate ZSTD frame content size in decompression
erofs-utils: lib: return error on ZSTD decompression length mismatch
lib/decompress.c | 8 ++++++++
1 file changed, 8 insertions(+)
--
2.43.0
More information about the Linux-erofs
mailing list