/src/xz/src/liblzma/common/index_hash.c

Source
// SPDX-License-Identifier: 0BSD

///////////////////////////////////////////////////////////////////////////////
//
/// \file       index_hash.c
/// \brief      Validates Index by using a hash function
//
//  Author:     Lasse Collin
//
///////////////////////////////////////////////////////////////////////////////

#include "common.h"
#include "index.h"
#include "check.h"


typedef struct {
  /// Sum of the Block sizes (including Block Padding)
  lzma_vli blocks_size;

  /// Sum of the Uncompressed Size fields
  lzma_vli uncompressed_size;

  /// Number of Records
  lzma_vli count;

  /// Size of the List of Index Records as bytes
  lzma_vli index_list_size;

  /// Check calculated from Unpadded Sizes and Uncompressed Sizes.
  lzma_check_state check;

} lzma_index_hash_info;


struct lzma_index_hash_s {
  enum {
    SEQ_BLOCK,
    SEQ_COUNT,
    SEQ_UNPADDED,
    SEQ_UNCOMPRESSED,
    SEQ_PADDING_INIT,
    SEQ_PADDING,
    SEQ_CRC32,
  } sequence;

  /// Information collected while decoding the actual Blocks.
  lzma_index_hash_info blocks;

  /// Information collected from the Index field.
  lzma_index_hash_info records;

  /// Number of Records not fully decoded
  lzma_vli remaining;

  /// Unpadded Size currently being read from an Index Record.
  lzma_vli unpadded_size;

  /// Uncompressed Size currently being read from an Index Record.
  lzma_vli uncompressed_size;

  /// Position in variable-length integers when decoding them from
  /// the List of Records.
  size_t pos;

  /// CRC32 of the Index
  uint32_t crc32;
};


extern LZMA_API(lzma_index_hash *)
lzma_index_hash_init(lzma_index_hash *index_hash,
    const lzma_allocator *allocator)
{
  if (index_hash == NULL) {
    index_hash = lzma_alloc(sizeof(lzma_index_hash), allocator);
    if (index_hash == NULL)
      return NULL;
  }

  index_hash->sequence = SEQ_BLOCK;
  index_hash->blocks.blocks_size = 0;
  index_hash->blocks.uncompressed_size = 0;
  index_hash->blocks.count = 0;
  index_hash->blocks.index_list_size = 0;
  index_hash->records.blocks_size = 0;
  index_hash->records.uncompressed_size = 0;
  index_hash->records.count = 0;
  index_hash->records.index_list_size = 0;
  index_hash->unpadded_size = 0;
  index_hash->uncompressed_size = 0;
  index_hash->pos = 0;
  index_hash->crc32 = 0;

  // These cannot fail because LZMA_CHECK_BEST is known to be supported.
  (void)lzma_check_init(&index_hash->blocks.check, LZMA_CHECK_BEST);
  (void)lzma_check_init(&index_hash->records.check, LZMA_CHECK_BEST);

  return index_hash;
}


extern LZMA_API(void)
lzma_index_hash_end(lzma_index_hash *index_hash,
    const lzma_allocator *allocator)
{
  lzma_free(index_hash, allocator);
  return;
}


extern LZMA_API(lzma_vli)
lzma_index_hash_size(const lzma_index_hash *index_hash)
{
  // Get the size of the Index from ->blocks instead of ->records for
  // cases where application wants to know the Index Size before
  // decoding the Index.
  return index_size(index_hash->blocks.count,
      index_hash->blocks.index_list_size);
}


/// Updates the sizes and the hash without any validation.
static void
hash_append(lzma_index_hash_info *info, lzma_vli unpadded_size,
    lzma_vli uncompressed_size)
{
  info->blocks_size += vli_ceil4(unpadded_size);
  info->uncompressed_size += uncompressed_size;
  info->index_list_size += lzma_vli_size(unpadded_size)
      + lzma_vli_size(uncompressed_size);
  ++info->count;

  const lzma_vli sizes[2] = { unpadded_size, uncompressed_size };
  lzma_check_update(&info->check, LZMA_CHECK_BEST,
      (const uint8_t *)(sizes), sizeof(sizes));

  return;
}


extern LZMA_API(lzma_ret)
lzma_index_hash_append(lzma_index_hash *index_hash, lzma_vli unpadded_size,
    lzma_vli uncompressed_size)
{
  // Validate the arguments.
  if (index_hash == NULL || index_hash->sequence != SEQ_BLOCK
      || unpadded_size < UNPADDED_SIZE_MIN
      || unpadded_size > UNPADDED_SIZE_MAX
      || uncompressed_size > LZMA_VLI_MAX)
    return LZMA_PROG_ERROR;

  // Update the hash.
  hash_append(&index_hash->blocks, unpadded_size, uncompressed_size);

  // Validate the properties of *info are still in allowed limits.
  if (index_hash->blocks.blocks_size > LZMA_VLI_MAX
      || index_hash->blocks.uncompressed_size > LZMA_VLI_MAX
      || index_size(index_hash->blocks.count,
          index_hash->blocks.index_list_size)
        > LZMA_BACKWARD_SIZE_MAX
      || index_stream_size(index_hash->blocks.blocks_size,
          index_hash->blocks.count,
          index_hash->blocks.index_list_size)
        > LZMA_VLI_MAX)
    return LZMA_DATA_ERROR;

  return LZMA_OK;
}


extern LZMA_API(lzma_ret)
lzma_index_hash_decode(lzma_index_hash *index_hash, const uint8_t *in,
    size_t *in_pos, size_t in_size)
{
  // Catch zero input buffer here, because in contrast to Index encoder
  // and decoder functions, applications call this function directly
  // instead of via lzma_code(), which does the buffer checking.
  if (*in_pos >= in_size)
    return LZMA_BUF_ERROR;

  // NOTE: This function has many similarities to index_encode() and
  // index_decode() functions found from index_encoder.c and
  // index_decoder.c. See the comments especially in index_encoder.c.
  const size_t in_start = *in_pos;
  lzma_ret ret = LZMA_OK;

  while (*in_pos < in_size)
  switch (index_hash->sequence) {
  case SEQ_BLOCK:
    // Check the Index Indicator is present.
    if (in[(*in_pos)++] != INDEX_INDICATOR)
      return LZMA_DATA_ERROR;

    index_hash->sequence = SEQ_COUNT;
    break;

  case SEQ_COUNT: {
    ret = lzma_vli_decode(&index_hash->remaining,
        &index_hash->pos, in, in_pos, in_size);
    if (ret != LZMA_STREAM_END)
      goto out;

    // The count must match the count of the Blocks decoded.
    if (index_hash->remaining != index_hash->blocks.count)
      return LZMA_DATA_ERROR;

    ret = LZMA_OK;
    index_hash->pos = 0;

    // Handle the special case when there are no Blocks.
    index_hash->sequence = index_hash->remaining == 0
        ? SEQ_PADDING_INIT : SEQ_UNPADDED;
    break;
  }

  case SEQ_UNPADDED:
  case SEQ_UNCOMPRESSED: {
    lzma_vli *size = index_hash->sequence == SEQ_UNPADDED
        ? &index_hash->unpadded_size
        : &index_hash->uncompressed_size;

    ret = lzma_vli_decode(size, &index_hash->pos,
        in, in_pos, in_size);
    if (ret != LZMA_STREAM_END)
      goto out;

    ret = LZMA_OK;
    index_hash->pos = 0;

    if (index_hash->sequence == SEQ_UNPADDED) {
      if (index_hash->unpadded_size < UNPADDED_SIZE_MIN
          || index_hash->unpadded_size
            > UNPADDED_SIZE_MAX)
        return LZMA_DATA_ERROR;

      index_hash->sequence = SEQ_UNCOMPRESSED;
    } else {
      // Update the hash.
      hash_append(&index_hash->records,
          index_hash->unpadded_size,
          index_hash->uncompressed_size);

      // Verify that we don't go over the known sizes. Note
      // that this validation is simpler than the one used
      // in lzma_index_hash_append(), because here we know
      // that values in index_hash->blocks are already
      // validated and we are fine as long as we don't
      // exceed them in index_hash->records.
      if (index_hash->blocks.blocks_size
          < index_hash->records.blocks_size
          || index_hash->blocks.uncompressed_size
          < index_hash->records.uncompressed_size
          || index_hash->blocks.index_list_size
          < index_hash->records.index_list_size)
        return LZMA_DATA_ERROR;

      // Check if this was the last Record.
      index_hash->sequence = --index_hash->remaining == 0
          ? SEQ_PADDING_INIT : SEQ_UNPADDED;
    }

    break;
  }

  case SEQ_PADDING_INIT:
    index_hash->pos = (LZMA_VLI_C(4) - index_size_unpadded(
        index_hash->records.count,
        index_hash->records.index_list_size)) & 3;

    index_hash->sequence = SEQ_PADDING;
    FALLTHROUGH;

  case SEQ_PADDING:
    if (index_hash->pos > 0) {
      --index_hash->pos;
      if (in[(*in_pos)++] != 0x00)
        return LZMA_DATA_ERROR;

      break;
    }

    // Compare the sizes.
    if (index_hash->blocks.blocks_size
        != index_hash->records.blocks_size
        || index_hash->blocks.uncompressed_size
        != index_hash->records.uncompressed_size
        || index_hash->blocks.index_list_size
        != index_hash->records.index_list_size)
      return LZMA_DATA_ERROR;

    // Finish the hashes and compare them.
    lzma_check_finish(&index_hash->blocks.check, LZMA_CHECK_BEST);
    lzma_check_finish(&index_hash->records.check, LZMA_CHECK_BEST);
    if (memcmp(index_hash->blocks.check.buffer.u8,
        index_hash->records.check.buffer.u8,
        lzma_check_size(LZMA_CHECK_BEST)) != 0)
      return LZMA_DATA_ERROR;

    // Finish the CRC32 calculation.
    index_hash->crc32 = lzma_crc32(in + in_start,
        *in_pos - in_start, index_hash->crc32);

    index_hash->sequence = SEQ_CRC32;
    FALLTHROUGH;

  case SEQ_CRC32:
    do {
      if (*in_pos == in_size)
        return LZMA_OK;

      if (((index_hash->crc32 >> (index_hash->pos * 8))
          & 0xFF) != in[(*in_pos)++]) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
        return LZMA_DATA_ERROR;
#endif
      }

    } while (++index_hash->pos < 4);

    return LZMA_STREAM_END;

  default:
    assert(0);
    return LZMA_PROG_ERROR;
  }

out:
  // Update the CRC32.
  //
  // Avoid null pointer + 0 (undefined behavior) in "in + in_start".
  // In such a case we had no input and thus in_used == 0.
  {
    const size_t in_used = *in_pos - in_start;
    if (in_used > 0)
      index_hash->crc32 = lzma_crc32(in + in_start,
          in_used, index_hash->crc32);
  }

  return ret;
}

Coverage Report

Created: 2025-12-03 07:28

Line	Count	Source
1		// SPDX-License-Identifier: 0BSD
2
3		///////////////////////////////////////////////////////////////////////////////
4		//
5		/// \file index_hash.c
6		/// \brief Validates Index by using a hash function
7		//
8		// Author: Lasse Collin
9		//
10		///////////////////////////////////////////////////////////////////////////////
11
12		#include "common.h"
13		#include "index.h"
14		#include "check.h"
15
16
17		typedef struct {
18		/// Sum of the Block sizes (including Block Padding)
19		lzma_vli blocks_size;
20
21		/// Sum of the Uncompressed Size fields
22		lzma_vli uncompressed_size;
23
24		/// Number of Records
25		lzma_vli count;
26
27		/// Size of the List of Index Records as bytes
28		lzma_vli index_list_size;
29
30		/// Check calculated from Unpadded Sizes and Uncompressed Sizes.
31		lzma_check_state check;
32
33		} lzma_index_hash_info;
34
35
36		struct lzma_index_hash_s {
37		enum {
38		SEQ_BLOCK,
39		SEQ_COUNT,
40		SEQ_UNPADDED,
41		SEQ_UNCOMPRESSED,
42		SEQ_PADDING_INIT,
43		SEQ_PADDING,
44		SEQ_CRC32,
45		} sequence;
46
47		/// Information collected while decoding the actual Blocks.
48		lzma_index_hash_info blocks;
49
50		/// Information collected from the Index field.
51		lzma_index_hash_info records;
52
53		/// Number of Records not fully decoded
54		lzma_vli remaining;
55
56		/// Unpadded Size currently being read from an Index Record.
57		lzma_vli unpadded_size;
58
59		/// Uncompressed Size currently being read from an Index Record.
60		lzma_vli uncompressed_size;
61
62		/// Position in variable-length integers when decoding them from
63		/// the List of Records.
64		size_t pos;
65
66		/// CRC32 of the Index
67		uint32_t crc32;
68		};
69
70
71		extern LZMA_API(lzma_index_hash *)
72		lzma_index_hash_init(lzma_index_hash *index_hash,
73		const lzma_allocator *allocator)
74	4.14k	{
75	4.14k	if (index_hash == NULL) {
76	3.53k	index_hash = lzma_alloc(sizeof(lzma_index_hash), allocator);
77	3.53k	if (index_hash == NULL)
78	0	return NULL;
79	3.53k	}
80
81	4.14k	index_hash->sequence = SEQ_BLOCK;
82	4.14k	index_hash->blocks.blocks_size = 0;
83	4.14k	index_hash->blocks.uncompressed_size = 0;
84	4.14k	index_hash->blocks.count = 0;
85	4.14k	index_hash->blocks.index_list_size = 0;
86	4.14k	index_hash->records.blocks_size = 0;
87	4.14k	index_hash->records.uncompressed_size = 0;
88	4.14k	index_hash->records.count = 0;
89	4.14k	index_hash->records.index_list_size = 0;
90	4.14k	index_hash->unpadded_size = 0;
91	4.14k	index_hash->uncompressed_size = 0;
92	4.14k	index_hash->pos = 0;
93	4.14k	index_hash->crc32 = 0;
94
95		// These cannot fail because LZMA_CHECK_BEST is known to be supported.
96	4.14k	(void)lzma_check_init(&index_hash->blocks.check, LZMA_CHECK_BEST);
97	4.14k	(void)lzma_check_init(&index_hash->records.check, LZMA_CHECK_BEST);
98
99	4.14k	return index_hash;
100	4.14k	}
101
102
103		extern LZMA_API(void)
104		lzma_index_hash_end(lzma_index_hash *index_hash,
105		const lzma_allocator *allocator)
106	3.53k	{
107	3.53k	lzma_free(index_hash, allocator);
108	3.53k	return;
109	3.53k	}
110
111
112		extern LZMA_API(lzma_vli)
113		lzma_index_hash_size(const lzma_index_hash *index_hash)
114	0	{
115		// Get the size of the Index from ->blocks instead of ->records for
116		// cases where application wants to know the Index Size before
117		// decoding the Index.
118	0	return index_size(index_hash->blocks.count,
119	0	index_hash->blocks.index_list_size);
120	0	}
121
122
123		/// Updates the sizes and the hash without any validation.
124		static void
125		hash_append(lzma_index_hash_info *info, lzma_vli unpadded_size,
126		lzma_vli uncompressed_size)
127	86	{
128	86	info->blocks_size += vli_ceil4(unpadded_size);
129	86	info->uncompressed_size += uncompressed_size;
130	86	info->index_list_size += lzma_vli_size(unpadded_size)
131	86	+ lzma_vli_size(uncompressed_size);
132	86	++info->count;
133
134	86	const lzma_vli sizes[2] = { unpadded_size, uncompressed_size };
135	86	lzma_check_update(&info->check, LZMA_CHECK_BEST,
136	86	(const uint8_t *)(sizes), sizeof(sizes));
137
138	86	return;
139	86	}
140
141
142		extern LZMA_API(lzma_ret)
143		lzma_index_hash_append(lzma_index_hash *index_hash, lzma_vli unpadded_size,
144		lzma_vli uncompressed_size)
145	71	{
146		// Validate the arguments.
147	71	if (index_hash == NULL \|\| index_hash->sequence != SEQ_BLOCK
148	71	\|\| unpadded_size < UNPADDED_SIZE_MIN
149	71	\|\| unpadded_size > UNPADDED_SIZE_MAX
150	71	\|\| uncompressed_size > LZMA_VLI_MAX)
151	0	return LZMA_PROG_ERROR;
152
153		// Update the hash.
154	71	hash_append(&index_hash->blocks, unpadded_size, uncompressed_size);
155
156		// Validate the properties of *info are still in allowed limits.
157	71	if (index_hash->blocks.blocks_size > LZMA_VLI_MAX
158	71	\|\| index_hash->blocks.uncompressed_size > LZMA_VLI_MAX
159	71	\|\| index_size(index_hash->blocks.count,
160	71	index_hash->blocks.index_list_size)
161	71	> LZMA_BACKWARD_SIZE_MAX
162	71	\|\| index_stream_size(index_hash->blocks.blocks_size,
163	71	index_hash->blocks.count,
164	71	index_hash->blocks.index_list_size)
165	71	> LZMA_VLI_MAX)
166	0	return LZMA_DATA_ERROR;
167
168	71	return LZMA_OK;
169	71	}
170
171
172		extern LZMA_API(lzma_ret)
173		lzma_index_hash_decode(lzma_index_hash index_hash, const uint8_t in,
174		size_t *in_pos, size_t in_size)
175	87	{
176		// Catch zero input buffer here, because in contrast to Index encoder
177		// and decoder functions, applications call this function directly
178		// instead of via lzma_code(), which does the buffer checking.
179	87	if (*in_pos >= in_size)
180	0	return LZMA_BUF_ERROR;
181
182		// NOTE: This function has many similarities to index_encode() and
183		// index_decode() functions found from index_encoder.c and
184		// index_decoder.c. See the comments especially in index_encoder.c.
185	87	const size_t in_start = *in_pos;
186	87	lzma_ret ret = LZMA_OK;
187
188	292	while (*in_pos < in_size)
189	289	switch (index_hash->sequence) {
190	87	case SEQ_BLOCK:
191		// Check the Index Indicator is present.
192	87	if (in[(*in_pos)++] != INDEX_INDICATOR)
193	0	return LZMA_DATA_ERROR;
194
195	87	index_hash->sequence = SEQ_COUNT;
196	87	break;
197
198	87	case SEQ_COUNT: {
199	87	ret = lzma_vli_decode(&index_hash->remaining,
200	87	&index_hash->pos, in, in_pos, in_size);
201	87	if (ret != LZMA_STREAM_END)
202	13	goto out;
203
204		// The count must match the count of the Blocks decoded.
205	74	if (index_hash->remaining != index_hash->blocks.count)
206	23	return LZMA_DATA_ERROR;
207
208	51	ret = LZMA_OK;
209	51	index_hash->pos = 0;
210
211		// Handle the special case when there are no Blocks.
212	51	index_hash->sequence = index_hash->remaining == 0
213	51	? SEQ_PADDING_INIT : SEQ_UNPADDED;
214	51	break;
215	74	}
216
217	22	case SEQ_UNPADDED:
218	37	case SEQ_UNCOMPRESSED: {
219	37	lzma_vli *size = index_hash->sequence == SEQ_UNPADDED
220	37	? &index_hash->unpadded_size
221	37	: &index_hash->uncompressed_size;
222
223	37	ret = lzma_vli_decode(size, &index_hash->pos,
224	37	in, in_pos, in_size);
225	37	if (ret != LZMA_STREAM_END)
226	3	goto out;
227
228	34	ret = LZMA_OK;
229	34	index_hash->pos = 0;
230
231	34	if (index_hash->sequence == SEQ_UNPADDED) {
232	19	if (index_hash->unpadded_size < UNPADDED_SIZE_MIN
233	16	\|\| index_hash->unpadded_size
234	16	> UNPADDED_SIZE_MAX)
235	3	return LZMA_DATA_ERROR;
236
237	16	index_hash->sequence = SEQ_UNCOMPRESSED;
238	16	} else {
239		// Update the hash.
240	15	hash_append(&index_hash->records,
241	15	index_hash->unpadded_size,
242	15	index_hash->uncompressed_size);
243
244		// Verify that we don't go over the known sizes. Note
245		// that this validation is simpler than the one used
246		// in lzma_index_hash_append(), because here we know
247		// that values in index_hash->blocks are already
248		// validated and we are fine as long as we don't
249		// exceed them in index_hash->records.
250	15	if (index_hash->blocks.blocks_size
251	15	< index_hash->records.blocks_size
252	9	\|\| index_hash->blocks.uncompressed_size
253	9	< index_hash->records.uncompressed_size
254	6	\|\| index_hash->blocks.index_list_size
255	6	< index_hash->records.index_list_size)
256	9	return LZMA_DATA_ERROR;
257
258		// Check if this was the last Record.
259	6	index_hash->sequence = --index_hash->remaining == 0
260	6	? SEQ_PADDING_INIT : SEQ_UNPADDED;
261	6	}
262
263	22	break;
264	34	}
265
266	34	case SEQ_PADDING_INIT:
267	34	index_hash->pos = (LZMA_VLI_C(4) - index_size_unpadded(
268	34	index_hash->records.count,
269	34	index_hash->records.index_list_size)) & 3;
270
271	34	index_hash->sequence = SEQ_PADDING;
272	34	FALLTHROUGH;
273
274	78	case SEQ_PADDING:
275	78	if (index_hash->pos > 0) {
276	56	--index_hash->pos;
277	56	if (in[(*in_pos)++] != 0x00)
278	11	return LZMA_DATA_ERROR;
279
280	45	break;
281	56	}
282
283		// Compare the sizes.
284	22	if (index_hash->blocks.blocks_size
285	22	!= index_hash->records.blocks_size
286	19	\|\| index_hash->blocks.uncompressed_size
287	19	!= index_hash->records.uncompressed_size
288	19	\|\| index_hash->blocks.index_list_size
289	19	!= index_hash->records.index_list_size)
290	3	return LZMA_DATA_ERROR;
291
292		// Finish the hashes and compare them.
293	19	lzma_check_finish(&index_hash->blocks.check, LZMA_CHECK_BEST);
294	19	lzma_check_finish(&index_hash->records.check, LZMA_CHECK_BEST);
295	19	if (memcmp(index_hash->blocks.check.buffer.u8,
296	19	index_hash->records.check.buffer.u8,
297	19	lzma_check_size(LZMA_CHECK_BEST)) != 0)
298	1	return LZMA_DATA_ERROR;
299
300		// Finish the CRC32 calculation.
301	18	index_hash->crc32 = lzma_crc32(in + in_start,
302	18	*in_pos - in_start, index_hash->crc32);
303
304	18	index_hash->sequence = SEQ_CRC32;
305	18	FALLTHROUGH;
306
307	18	case SEQ_CRC32:
308	66	do {
309	66	if (*in_pos == in_size)
310	5	return LZMA_OK;
311
312	61	if (((index_hash->crc32 >> (index_hash->pos * 8))
313	61	& 0xFF) != in[(*in_pos)++]) {
314		#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
315		return LZMA_DATA_ERROR;
316		#endif
317	61	}
318
319	61	} while (++index_hash->pos < 4);
320
321	13	return LZMA_STREAM_END;
322
323	0	default:
324	0	assert(0);
325	0	return LZMA_PROG_ERROR;
326	289	}
327
328	19	out:
329		// Update the CRC32.
330		//
331		// Avoid null pointer + 0 (undefined behavior) in "in + in_start".
332		// In such a case we had no input and thus in_used == 0.
333	19	{
334	19	const size_t in_used = *in_pos - in_start;
335	19	if (in_used > 0)
336	19	index_hash->crc32 = lzma_crc32(in + in_start,
337	19	in_used, index_hash->crc32);
338	19	}
339
340	19	return ret;
341	87	}