Fix ZSTD decompression on bad data.

michael-grunder · michael-grunder · commit c48b3a2ba3d6 · 2021-03-22T10:48:27.000-07:00
ZSTD uses two defined error numbers to inform the caller when the compressed data is invalid (e.g. wrong magic number) or the size is unknown. We should always know the size so abort if ZSTD returns either to us. Fixes: #1936
diff --git a/library.c b/library.c
@@ -2877,7 +2877,8 @@ redis_unpack(RedisSock *redis_sock, const char *val, int val_len, zval *z_ret)
                 size_t len;
 
                 len = ZSTD_getFrameContentSize(val, val_len);
-                if (len >= 0) {
+
+                if (len != ZSTD_CONTENTSIZE_ERROR && len != ZSTD_CONTENTSIZE_UNKNOWN) {
                     data = emalloc(len);
                     len = ZSTD_decompress(data, len, val, val_len);
                     if (ZSTD_isError(len)) {
diff --git a/tests/RedisTest.php b/tests/RedisTest.php
@@ -4573,6 +4573,14 @@ public function testCompressionZSTD()
         if (!defined('Redis::COMPRESSION_ZSTD')) {
             $this->markTestSkipped();
         }
+
+        /* Issue 1936 regression.  Make sure we don't overflow on bad data */
+        $this->redis->del('badzstd');
+        $this->redis->set('badzstd', '123');
+        $this->redis->setOption(Redis::OPT_COMPRESSION, Redis::COMPRESSION_ZSTD);
+        $this->assertEquals('123', $this->redis->get('badzstd'));
+        $this->redis->setOption(Redis::OPT_COMPRESSION, Redis::COMPRESSION_NONE);
+
         $this->checkCompression(Redis::COMPRESSION_ZSTD, 0);
         $this->checkCompression(Redis::COMPRESSION_ZSTD, 9);
     }
