[PATCH v1 1/2] erofs-utils: lib: validate ZSTD frame content size in decompression
Gao Xiang
hsiangkao at linux.alibaba.com
Tue Mar 17 13:10:01 AEDT 2026
On 2026/3/17 05:28, Utkal Singh wrote:
> ZSTD_getFrameContentSize() reads the content size from the ZSTD
> frame header in the compressed data. This is untrusted on-disk
> metadata, independent from the extent map that provides
> rq->decodedlength via z_erofs_map_blocks_iter().
>
> A crafted EROFS image can set the extent map to claim a decoded
> length larger than the actual ZSTD frame content size. When this
> happens, a buffer of the (smaller) frame content size is allocated
> and decompressed into, but the subsequent memcpy copies
> rq->decodedlength bytes from it — a potential out-of-bounds read.
>
> Additionally, the ZSTD_getDecompressedSize() legacy fallback
> returns 0 for frames without a content size field. This leads to
> malloc(0) followed by out-of-bounds access on the returned pointer.
>
> Reject frames where the reported content size is zero or smaller
> than the expected decoded length.
For this kind of commits, please add reproduciable way all the time.
More information about the Linux-erofs
mailing list