std/xz: enforce BCJ offset alignment

nigeltao · nigeltao · commit c4aa5e60d0f4 · 2024-04-29T22:33:51.000+10:00
diff --git a/release/c/wuffs-unsupported-snapshot.c b/release/c/wuffs-unsupported-snapshot.c
@@ -14061,6 +14061,7 @@ struct wuffs_xxhash64__hasher__struct {
 
 // ---------------- Status Codes
 
+extern const char wuffs_xz__error__bad_bcj_offset[];
 extern const char wuffs_xz__error__bad_block_header[];
 extern const char wuffs_xz__error__bad_checksum[];
 extern const char wuffs_xz__error__bad_filter[];
@@ -14250,6 +14251,7 @@ struct wuffs_xz__decoder__struct {
     } s_decode_block_header_with_padding;
     struct {
       uint8_t v_flags;
+      uint8_t v_filter_id;
       uint32_t v_shift;
       uint32_t v_f;
       uint64_t scratch;
@@ -69501,6 +69503,7 @@ wuffs_xxhash64__hasher__checksum_u64(
 
 // ---------------- Status Codes Implementations
 
+const char wuffs_xz__error__bad_bcj_offset[] = "#xz: bad BCJ offset";
 const char wuffs_xz__error__bad_block_header[] = "#xz: bad block header";
 const char wuffs_xz__error__bad_checksum[] = "#xz: bad checksum";
 const char wuffs_xz__error__bad_filter[] = "#xz: bad filter";
@@ -69552,6 +69555,12 @@ WUFFS_XZ__ZEROES[3] WUFFS_BASE__POTENTIALLY_UNUSED = {
   0u, 0u, 0u,
 };
 
+static const uint8_t
+WUFFS_XZ__BCJ_OFFSET_ALIGNMENT[12] WUFFS_BASE__POTENTIALLY_UNUSED = {
+  0u, 0u, 0u, 0u, 1u, 4u, 16u, 4u,
+  2u, 4u, 4u, 2u,
+};
+
 // ---------------- Private Initializer Prototypes
 
 // ---------------- Private Function Prototypes
@@ -71352,6 +71361,8 @@ wuffs_xz__decoder__decode_block_header_sans_padding(
   wuffs_base__status status = wuffs_base__make_status(NULL);
 
   uint8_t v_c8 = 0;
+  uint32_t v_c32 = 0;
+  uint32_t v_alignment = 0;
   uint8_t v_flags = 0;
   uint8_t v_filter_id = 0;
   wuffs_base__status v_status = wuffs_base__make_status(NULL);
@@ -71373,6 +71384,7 @@ wuffs_xz__decoder__decode_block_header_sans_padding(
   uint32_t coro_susp_point = self->private_impl.p_decode_block_header_sans_padding;
   if (coro_susp_point) {
     v_flags = self->private_data.s_decode_block_header_sans_padding.v_flags;
+    v_filter_id = self->private_data.s_decode_block_header_sans_padding.v_filter_id;
     v_shift = self->private_data.s_decode_block_header_sans_padding.v_shift;
     v_f = self->private_data.s_decode_block_header_sans_padding.v_f;
   }
@@ -71575,8 +71587,16 @@ wuffs_xz__decoder__decode_block_header_sans_padding(
                 *scratch |= ((uint64_t)(num_bits_7)) << 56;
               }
             }
-            self->private_impl.f_bcj_pos = t_7;
+            v_c32 = t_7;
+          }
+          v_alignment = ((uint32_t)(WUFFS_XZ__BCJ_OFFSET_ALIGNMENT[v_filter_id]));
+          if (v_alignment > 0u) {
+            if ((v_c32 % v_alignment) != 0u) {
+              status = wuffs_base__make_status(wuffs_xz__error__bad_bcj_offset);
+              goto exit;
+            }
           }
+          self->private_impl.f_bcj_pos = v_c32;
         } else {
           status = wuffs_base__make_status(wuffs_xz__error__unsupported_filter);
           goto exit;
@@ -71643,6 +71663,7 @@ wuffs_xz__decoder__decode_block_header_sans_padding(
   suspend:
   self->private_impl.p_decode_block_header_sans_padding = wuffs_base__status__is_suspension(&status) ? coro_susp_point : 0;
   self->private_data.s_decode_block_header_sans_padding.v_flags = v_flags;
+  self->private_data.s_decode_block_header_sans_padding.v_filter_id = v_filter_id;
   self->private_data.s_decode_block_header_sans_padding.v_shift = v_shift;
   self->private_data.s_decode_block_header_sans_padding.v_f = v_f;
 
diff --git a/std/xz/decode_xz.wuffs b/std/xz/decode_xz.wuffs
@@ -17,6 +17,7 @@ use "std/crc64"
 use "std/lzma"
 use "std/sha256"
 
+pub status "#bad BCJ offset"
 pub status "#bad block header"
 pub status "#bad checksum"
 pub status "#bad filter"
@@ -512,6 +513,8 @@ pri func decoder.decode_block_header_with_padding?(src: base.io_reader) {
 
 pri func decoder.decode_block_header_sans_padding?(src: base.io_reader) {
     var c8        : base.u8
+    var c32       : base.u32
+    var alignment : base.u32
     var flags     : base.u8
     var filter_id : base.u8
     var status    : base.status
@@ -633,7 +636,14 @@ pri func decoder.decode_block_header_sans_padding?(src: base.io_reader) {
             if c8 == 0x00 {
                 this.bcj_pos = 0
             } else if c8 == 0x04 {
-                this.bcj_pos = args.src.read_u32le?()
+                c32 = args.src.read_u32le?()
+                alignment = BCJ_OFFSET_ALIGNMENT[filter_id] as base.u32
+                if alignment > 0 {
+                    if (c32 % alignment) <> 0 {
+                        return "#bad BCJ offset"
+                    }
+                }
+                this.bcj_pos = c32
             } else {
                 return "#unsupported filter"
             }
@@ -800,3 +810,20 @@ pri const CHECKSUM_LENGTH : roarray[4] base.u8 = [
 ]
 
 pri const ZEROES : roarray[3] base.u8 = [0, 0, 0]
+
+// See https://tukaani.org/xz/xz-file-format.txt section 5.3.2.
+// Branch/Call/Jump Filters for Executables.
+pri const BCJ_OFFSET_ALIGNMENT : roarray[12] base.u8 = [
+        0x00,  // 0x00: Unused.
+        0x00,  // 0x01: Unused.
+        0x00,  // 0x02: Unused.
+        0x00,  // 0x03: Unused.
+        0x01,  // 0x04: x86.
+        0x04,  // 0x05: powerpc.
+        0x10,  // 0x06: ia64.
+        0x04,  // 0x07: arm.
+        0x02,  // 0x08: armthumb.
+        0x04,  // 0x09: sparc.
+        0x04,  // 0x0A: arm64.
+        0x02,  // 0x0B: riscv.
+]
