trifectatechfoundation
diff --git a/‎libbz2-rs-sys/src/decompress.rs‎
Lines changed: 1 addition & 1 deletion b/‎libbz2-rs-sys/src/decompress.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎test-libbz2-rs-sys/src/lib.rs‎
Lines changed: 23 additions & 0 deletions b/‎test-libbz2-rs-sys/src/lib.rs‎
Lines changed: 23 additions & 0 deletions
@@ -597,7 +597,7 @@ pub(crate) fn decompress(
  uc = GET_BYTE!(strm, s);
 
  s.origPtr = (s.origPtr << 8) | i32::from(uc);
- if !(0..10 + 100000 * i32::from(s.blockSize100k)).contains(&s.origPtr) {
+ if !(0..=10 + 100000 * i32::from(s.blockSize100k)).contains(&s.origPtr) {
  error!(BZ_DATA_ERROR);
  }
 
 
@@ -1454,3 +1454,26 @@ mod high_level_interface {
  drop(path_as_cstring);
  }
 }
+
+#[test]
+fn orig_ptr_bounds_check_off_by_1() {
+ // From https://git.radicallyopensecurity.com/ngi/ngicore-zip-linting-and-bzip2-in-rust/-/issues/6
+ //
+ // A bounds check in `decompress.rs` was off-by-one in the rust version.
+ let source: &[u8] = &[
+ 0x42, 0x5a, 0x68, 0x32, 0x31, 0x41, 0x59, 0x26, 0x53, 0x59, 0x03, 0x4f, 0x7e, 0x01, 0x01,
+ 0x86, 0xa5, 0x00, 0x00,
+ ];
+
+ let (err_c, dest_c) =
+ unsafe { crate::decompress_c_with_capacity(1 << 16, source.as_ptr(), source.len() as _) };
+
+ let (err_rs, dest_rs) =
+ unsafe { crate::decompress_rs_with_capacity(1 << 16, source.as_ptr(), source.len() as _) };
+
+ assert_eq!(err_c, err_rs);
+
+ if err_c == libbz2_rs_sys::BZ_OK {
+ assert_eq!(dest_c, dest_rs);
+ }
+}
Original file line number	Diff line number	Diff line change
`@@ -597,7 +597,7 @@ pub(crate) fn decompress(`
`597`	`597`	`uc = GET_BYTE!(strm, s);`
`598`	`598`
`599`	`599`	`s.origPtr = (s.origPtr << 8) \| i32::from(uc);`
`600`		`- if !(0..10 + 100000 * i32::from(s.blockSize100k)).contains(&s.origPtr) {`
	`600`	`+ if !(0..=10 + 100000 * i32::from(s.blockSize100k)).contains(&s.origPtr) {`
`601`	`601`	`error!(BZ_DATA_ERROR);`
`602`	`602`	`}`
`603`	`603`