ad923d7ea0
Some checks failed
Build / Linux (push) Has been cancelled
Build / Windows (MSVC) (push) Has been cancelled
Build / macOS (push) Has been cancelled
Build / libarchive plugin (push) Has been cancelled
Build / DOS (DJGPP) (push) Has been cancelled
Docs / build (push) Has been cancelled
Docs / deploy (push) Has been cancelled
A crafted archive could crash the reader with an out-of-bounds read in the directory-skip path (uc2_finish_cdir -> uc2_read_cdir -> uc2_get_tag). decompress_cdir allocates cdir_buf inside its decode loop but, on its error paths (decode failure or a checksum mismatch), returned before setting cdir_range.end -- leaving cdir_buf non-NULL with a stale end. A later uc2_read_cdir/uc2_finish_cdir then saw cdir_buf != NULL, skipped re-reading, and walked a range whose end pointed below its start, so range_len wrapped and range_get handed out wild pointers. Free cdir_buf on every error path so the invariant "cdir_buf != NULL iff cdir_range is valid" holds, and make range_len report an empty range (rather than a huge one) if end ever precedes ptr, as defense in depth for the whole parser. Also add a compression-ratio ceiling to the cdir decode: a tiny crafted stream can expand via long matches, so abort once the output far outgrows the compressed bytes consumed. Found with a new libFuzzer harness (tests/fuzz/, not built by default). Memory-safety is clean over sustained fuzzing after this change; 22/22 ctest on Release and ASan. A residual slow-input timeout via a separate decode path is tracked for follow-up.