62a90af101
Some checks failed
Build / Linux (push) Has been cancelled
Build / Windows (MSVC) (push) Has been cancelled
Build / macOS (push) Has been cancelled
Build / libarchive plugin (push) Has been cancelled
Build / DOS (DJGPP) (push) Has been cancelled
Docs / build (push) Has been cancelled
Docs / deploy (push) Has been cancelled
Several allocation sizes were computed from input-controlled counts or lengths and could wrap before the malloc/fread, yielding an undersized buffer that is then indexed past its end (mainly on 32-bit targets such as DJGPP, where size_t is 32 bits): - ingest restore_v2 multiplied an untrusted 32-bit chunk count from the archive header by the entry size; cap the count (also bounds memory). - ingest write and uc2_dict_serialize had the same multiply/add on locally-derived sizes; cap them too. - uc2_blockstore_ingest checked off + clen > len, which can wrap; rewrite as off > len || clen > len - off. - the libarchive plugin's extract_write grew its buffer with an unchecked len addition and power-of-two doubling that could wrap; guard both. - uc2_bwt_revert used the caller-supplied primary_index to index its buffers without a bound, and multiplied len by sizeof(uint32_t) without an overflow check. Also: uc2_merkle_build used the realloc result without checking it, so an OOM left tree->chunks NULL and the next write dereferenced it; keep the chunks gathered so far instead. 22/22 ctest on Release and ASan.