facebook · Cyan4973 · Dec 10, 2019 · Nov 16, 2019 · Nov 16, 2019 · Nov 18, 2019
diff --git a/lib/compress/zstd_compress.c b/lib/compress/zstd_compress.c
@@ -2457,6 +2457,7 @@ static size_t ZSTD_compressBlock_targetCBlockSize(ZSTD_CCtx* zc,
                                const void* src, size_t srcSize,
                                U32 lastBlock) {
     size_t cSize = 0;
+    int usingNoCompressSuperBlock = 0;
     DEBUGLOG(5, "ZSTD_compressBlock_targetCBlockSize (dstCapacity=%u, dictLimit=%u, nextToUpdate=%u, srcSize=%zu)",
                 (unsigned)dstCapacity, (unsigned)zc->blockState.matchState.window.dictLimit, (unsigned)zc->blockState.matchState.nextToUpdate, srcSize);
 
@@ -2472,6 +2473,7 @@ static size_t ZSTD_compressBlock_targetCBlockSize(ZSTD_CCtx* zc,
      */
     if (cSize == 0) {
         cSize = ZSTD_noCompressSuperBlock(dst, dstCapacity, src, srcSize, zc->appliedParams.targetCBlockSize, lastBlock);
+        usingNoCompressSuperBlock = 1;
         /* In compression, there is an assumption that a compressed block is always
          * within the size of ZSTD_compressBound(). However, SuperBlock compression
          * can exceed the limit due to overhead of headers from SubBlocks.
@@ -2480,8 +2482,11 @@ static size_t ZSTD_compressBlock_targetCBlockSize(ZSTD_CCtx* zc,
          * enough for SuperBlock compression.
          * In such case, fall back to normal compression. This is possible because
          * targetCBlockSize is best effort not a guarantee. */
-        if (cSize != ERROR(dstSize_tooSmall)) return cSize;
-        else {
+        if (cSize == ERROR(dstSize_tooSmall) || (dstCapacity - cSize) < 4) {
+            /* We check (dstCapacity - cSize) >= 4 above because we have to make sure
+             * to leave enough room for the checksum that will eventually get added in
+             * the epilogue. Otherwise, we're just going to throw the dstSize_tooSmall
+             * error there instead of here */
             BYTE* const ostart = (BYTE*)dst;
             /* If ZSTD_noCompressSuperBlock fails with dstSize_tooSmall,
              * compress normally.
@@ -2493,15 +2498,22 @@ static size_t ZSTD_compressBlock_targetCBlockSize(ZSTD_CCtx* zc,
                     srcSize,
                     zc->entropyWorkspace, HUF_WORKSPACE_SIZE /* statically allocated in resetCCtx */,
                     zc->bmi2);
-            if (!ZSTD_isError(cSize) && cSize != 0) {
+
+            FORWARD_IF_ERROR(cSize);
+            if (cSize == 0) {
+                /* If compressSequences didn't work, we just output a regular
+                 * uncompressed block */
+                cSize = ZSTD_noCompressBlock(dst, dstCapacity, src, srcSize, lastBlock);
+                FORWARD_IF_ERROR(cSize);
+            } else {
                 U32 const cBlockHeader24 = lastBlock + (((U32)bt_compressed)<<1) + (U32)(cSize << 3);
                 MEM_writeLE24(ostart, cBlockHeader24);
                 cSize += ZSTD_blockHeaderSize;
             }
         }
     }
 
-    if (!ZSTD_isError(cSize) && cSize != 0) {
+    if (!ZSTD_isError(cSize) && !usingNoCompressSuperBlock) {
         /* confirm repcodes and entropy tables when emitting a compressed block */
         ZSTD_compressedBlockState_t* const tmp = zc->blockState.prevCBlock;
         zc->blockState.prevCBlock = zc->blockState.nextCBlock;
@@ -2853,7 +2865,7 @@ static size_t ZSTD_checkDictNCount(short* normalizedCounter, unsigned dictMaxSym
 
 size_t ZSTD_loadCEntropy(ZSTD_compressedBlockState_t* bs, void* workspace,
                          short* offcodeNCount, unsigned* offcodeMaxValue,
-                         const void* const dict, size_t dictSize) 
+                         const void* const dict, size_t dictSize)
 {
     const BYTE* dictPtr = (const BYTE*)dict;    /* skip magic num and dict ID */
     const BYTE* const dictEnd = dictPtr + dictSize;

diff --git a/tests/fuzzer.c b/tests/fuzzer.c
@@ -427,7 +427,6 @@ static int basicUnitTests(U32 const seed, double compressibility)
     }   }
     DISPLAYLEVEL(3, "OK \n");
 
-
     DISPLAYLEVEL(3, "test%3i : decompress with null dict : ", testNb++);
     {   ZSTD_DCtx* const dctx = ZSTD_createDCtx(); assert(dctx != NULL);
         {   size_t const r = ZSTD_decompress_usingDict(dctx,
@@ -490,6 +489,19 @@ static int basicUnitTests(U32 const seed, double compressibility)
     }
     DISPLAYLEVEL(3, "OK \n");
 
+    DISPLAYLEVEL(3, "test%3d: superblock enough room for checksum : ", testNb++)
+    {
+        /* This tests whether or not we leave enough room for the checksum at the end
+         * of the dst buffer. The bug that motivated this test was found by the
+         * stream_round_trip fuzzer but this crashes for the same reason and is
+         * far more compact than re-creating the stream_round_trip fuzzer's code path */
+        ZSTD_CCtx *cctx = ZSTD_createCCtx();
+        ZSTD_CCtx_setParameter(cctx, ZSTD_c_targetCBlockSize, 64);
+        assert(!ZSTD_isError(ZSTD_compress2(cctx, compressedBuffer, 1339, CNBuffer, 1278)));
+        ZSTD_freeCCtx(cctx);
+    }
+    DISPLAYLEVEL(3, "OK \n");
+
     DISPLAYLEVEL(3, "test%3d : check CCtx size after compressing empty input : ", testNb++);
     {   ZSTD_CCtx* const cctx = ZSTD_createCCtx();
         size_t const r = ZSTD_compressCCtx(cctx, compressedBuffer, compressedBufferSize, NULL, 0, 19);