Fix denial-of-service crashes in 8 decompressors on malformed input

[Copilot]

Coverage-guided fuzzing found 14 crash sites across 8 decompressors where stream-derived values (table sizes, code lengths, bit widths) were used as array indices or divisors without validation, causing unhandled IndexOutOfRangeException, DivideByZeroException, and NullReferenceException that terminate the process on any malformed archive input.

Fixes by decompressor

• LzwStream: Validate maxBits >= INIT_BITS (9) in ParseHeader; without this, code tables are undersized for the minimum 9-bit codes causing IOOB. Set eof = true before re-throwing ParseHeader exceptions to prevent DivideByZero on SkipEntry's subsequent read when nBits was never initialized.

• CBZip2InputStream:

  • Create()/CreateAsync(): Check Initialize() return value — previously ignored, leaving bsStream = null and causing NullRef in BsR
  • RecvDecodingTables: Validate nGroups ∈ [2,6]; validate each selector MTF value is < nGroups before using as array index into pos[]
  • HbCreateDecodeTables: Validate length[i] < MAX_CODE_LEN before basev[length[i]+1]++
  • GetAndMoveToFrontDecode: Validate zn < MAX_CODE_LEN in the Huffman bit-reading loop; validate permIdx in bounds before perm[zt][permIdx]
  • SetupBlock: Validate cftab[ch] < tt.Length and origPtr < tt.Length

• SqueezeStream: Validate non-leaf node index < numnodes in BuildDecodedStream traversal loop.

• ArcLzwStream: Guard empty compressed data before input[0] access; validate code < suffix.Length in the decompression loop.

• ExplodeStream: Create()/CreateAsync() now check the return value of explode_SetTables() and throw InvalidFormatException on failure rather than proceeding with uninitialized empty Huffman tables.

• Deflate64 HuffmanTree: Add index < array.Length guard before array[index] in CreateTable's binary tree traversal.

• ReduceStream: Validate nextByteIndex < nextByteTable[outByte].Length in GetNextByte — the bit-count table can yield an index equal to the table length.

• PPMd Model: Guard solid-mode suffix traversal in StartModel when _maximumContext == PpmContext.ZERO; add post-StartModel ZERO check in DecodeStart/DecodeStartAsync.

• LZMA OutWindow: Validate windowSize > 0 in Create() — a zero dictionary size skips buffer allocation leaving _buffer = null, then _buffer[windowSize - 1] faults.

All fixes are applied to both sync and async code paths. A new MalformedInputTests class covers all 10 reproduced crash inputs, asserting each throws a SharpCompressException subtype rather than a raw CLR exception.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Multiple decompressors crash on malformed input (IOOB, DivideByZero, NullRef)</issue_title>
<issue_description>Tags: BZip2, ZIP

Description

Fuzzing SharpCompress 0.47.0 with AFL++ and SharpFuzz found 9 unique crash sites across 4 decompressors, all triggered by small malformed archive inputs (38–98 bytes). The decompressors do not validate stream-derived fields before using them as array indices or divisors, leading to IndexOutOfRangeException, DivideByZeroException, and NullReferenceException.

These are exploitable for denial of service - any application that decompresses user-supplied archives using SharpCompress will crash on these inputs.

LzwStream (2 crash sites)

IOOB in LzwStream.Read:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpCompress.Compressors.Lzw.LzwStream.Read(Byte[] buffer, Int32 offset, Int32 count)
   at SharpCompress.Common.EntryStream.Read(Byte[] buffer, Int32 offset, Int32 count)

DivideByZero in LzwStream.Read:

System.DivideByZeroException: Attempted to divide by zero.
   at SharpCompress.Compressors.Lzw.LzwStream.Read(Byte[] buffer, Int32 offset, Int32 count)
   at SharpCompress.Common.EntryStream.Read(Byte[] buffer, Int32 offset, Int32 count)

CBZip2InputStream (5 crash sites)

Note: #917 previously fixed an IOOB in RecvDecodingTables via nSelectors sanitization, but additional crash sites remain.

NullRef in BsR:

System.NullReferenceException: Object reference not set to an instance of an object.
   at SharpCompress.Compressors.BZip2.CBZip2InputStream.BsR(Int32 n)

IOOB in GetAndMoveToFrontDecode:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpCompress.Compressors.BZip2.CBZip2InputStream.GetAndMoveToFrontDecode()
   at SharpCompress.Compressors.BZip2.CBZip2InputStream.InitBlock()

IOOB in SetupBlock:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpCompress.Compressors.BZip2.CBZip2InputStream.SetupBlock()

IOOB in RecvDecodingTables:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpCompress.Compressors.BZip2.CBZip2InputStream.RecvDecodingTables()

IOOB in HbCreateDecodeTables:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpCompress.Compressors.BZip2.CBZip2InputStream.HbCreateDecodeTables(...)

SqueezeStream (1 crash site)

IOOB in BuildDecodedStream:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpCompress.Compressors.Squeezed.SqueezeStream.BuildDecodedStream()

ArcLzwStream (1 crash site)

IOOB in Decompress:

System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SharpCompress.Compressors.ArcLzw.ArcLzwStream.Decompress(Byte[] input, Boolean useCrunched)

Reproduction Code

using SharpCompress.Readers;

var crashes = new (string name, string hex)[]
{
    // LzwStream IOOB (98 bytes)
    ("LzwStream IOOB", "1f9d0836e1553ac4e1ce9ea227000000000000001070b4058faf051127c54144f8bfe54192e141bab6efe8032c41cd64004aef53da4acc8077a5b26245c47b97e6d615e29400000000000003edd1310a8030f1e2ee66ff535d800000000b00000000"),
    // LzwStream DivideByZero (82 bytes)
    ("LzwStream DivByZero", "1f9d1a362f20000000130003edd1310a8030f1605ca2b26245c47b97e6d615e29400000000130003edd1310a8030f1605c606060606060606060606060606060606060606060606060007f60606060280000"),
    // CBZip2InputStream NullRef in BsR (38 bytes)
    ("BZip2 NullRef", "425a6857575757575768575757575757fff2fff27c007159425a6857ff0f21007159c1e2d5e2"),
    // CBZip2InputStream IOOB in GetAndMoveToFrontDecode (65 bytes)
    ("BZip2 IOOB GetAndMove", "425a6839314159265359c1c080e2000001410000100244a000305a6839314159265359c1c080e2000001410000100244a00030cd00c3cd00c34629971772c080e2"),
    // SqueezeStream IOOB (53 bytes)
    ("Squeeze IOOB", "1a041a425a081a0000090000606839425a081730765cbb311042265300040000090000606839425a081730765cbb31104226530053"),
    // ArcLzwStream IOOB (55 bytes)
    ("ArcLzw IOOB", "1a081a1931081a00000000f9ffffff00000000ddff000000000000000000000000000012006068394200000080c431b37fff531042d9ff"),
};

foreach (var (name, hex) in crashes)
{
    try
    {
        var data = Convert.FromHexString(hex);
        using var ms = new MemoryStream(data);
        using var reader = ReaderFactory.OpenReader(ms);
        var buf = new byte[4096];
        while (reader.MoveToNextEntry())
        {
            if (!reader.Entry.IsDirectory)
            {
                using var entryStream = reader.OpenEntryStream();
                while (entryStream.Read(buf, 0, buf.Length) > 0) { }
            }
        }
        Console.WriteLine($"{name}: OK (no crash)");
    }
    catch (Exception ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes adamhathcock/sharpcompress#1251

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 Send tasks to Copilot coding agent from [Slack](https://gh.io/cca-slack-docs) and [Teams](https://gh.io/cca-teams-docs) to turn conversations into code. Copilot posts an update in your thread when it's finished.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (17 files)

• src/SharpCompress/Compressors/ArcLzw/ArcLzwStream.cs - Added empty input check and code bounds validation
• src/SharpCompress/Compressors/BZip2/CBZip2InputStream.cs - Added nGroups, selector MTF, Huffman code, and array index validations
• src/SharpCompress/Compressors/BZip2/CBZip2InputStream.Async.cs - Added async path validations matching sync code
• src/SharpCompress/Compressors/Deflate64/HuffmanTree.cs - Added array index bounds check in CreateTable
• src/SharpCompress/Compressors/Explode/ExplodeStream.cs - Added explode_SetTables return value check
• src/SharpCompress/Compressors/Explode/ExplodeStream.Async.cs - Added async path validation
• src/SharpCompress/Compressors/LZMA/LZ/LzOutWindow.cs - Added windowSize > 0 validation
• src/SharpCompress/Compressors/Lzw/LzwStream.cs - Added maxBits >= INIT_BITS check and EOF handling
• src/SharpCompress/Compressors/Lzw/LzwStream.Async.cs - Added async path validation
• src/SharpCompress/Compressors/PPMd/I1/Model.cs - Added model context initialization checks
• src/SharpCompress/Compressors/Reduce/ReduceStream.cs - Added nextByteIndex bounds validation
• src/SharpCompress/Compressors/Reduce/ReduceStream.Async.cs - Added async path validation
• src/SharpCompress/Compressors/Squeezed/SqueezedStream.cs - Added node index bounds validation
• src/SharpCompress/Compressors/Squeezed/SqueezedStream.Async.cs - Added async path validation
• tests/SharpCompress.Test/MalformedInputTests.cs - New test file covering all 10 crash scenarios

Review Notes

This is a well-implemented security fix that addresses denial-of-service vulnerabilities in 8 decompressors. The changes add proper input validation to convert raw system exceptions (IndexOutOfRangeException, DivideByZeroException, NullReferenceException) into library exceptions (InvalidFormatException), which is the correct behavior for handling malformed archive input.

Key observations:

• Both sync and async code paths are covered
• All error messages follow consistent naming convention (FormatName: error description)
• Tests cover all reported crash scenarios from fuzzing
• Changes maintain backward compatibility by only adding validation (no API changes)