zstandard panics on fuzzed input

[gooncreeper]

Zig Version

0.14.0

Steps to Reproduce and Observed Behavior

Create a file with the following and run zig test on it:

const std = @import("std");

test "fuzz test failure" {
    const input = "\x28\xb5\x2f\xfd\x00\x00\x00\x00\x00\x95\x00\x00\xbc\xf3\xae\xa5\x9f\xe3";
    var fbs = std.io.fixedBufferStream(input);

    var window: [65536]u8 = undefined;
    var stream = std.compress.zstd.decompressor(fbs.reader(), .{ .window_buffer = &window });

    var buf: [16384]u8 = undefined;
    while (stream.read(&buf) catch return != 0) {}
}

It leads to the following panic

thread 3919 panic: index out of bounds: index 716603, len 131072
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/std/compress/zstandard/decode/block.zig:992:40: 0x1055617 in decodeLiteralsSection__anon_2601 (test)
            try source.readNoEof(buffer[0..header.regenerated_size]);
                                       ^
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/std/compress/zstandard/decode/block.zig:838:55: 0x105bfa4 in decodeBlockReader__anon_2516 (test)
            const literals = try decodeLiteralsSection(block_reader, literals_buffer);
                                                      ^
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/std/compress/zstandard.zig:148:51: 0x1050b83 in readInner (test)
                decompress.block.decodeBlockReader(
                                                  ^
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/std/compress/zstandard.zig:124:42: 0x104e6c6 in read (test)
                size = try self.readInner(buffer);
                                         ^
/home/dev/git/gooncreeper/zig/zstd-bug.zig:11:23: 0x104e4db in test.fuzz test failure (test)
    while (stream.read(&buf) catch return != 0) {}
                      ^
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/compiler/test_runner.zig:214:25: 0x112f1f9 in mainTerminal (test)
        if (test_fn.func()) |_| {
                        ^
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/compiler/test_runner.zig:62:28: 0x112773d in main (test)
        return mainTerminal();
                           ^
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/std/start.zig:647:22: 0x1126cc2 in posixCallMainAndExit (test)
            root.main();
                     ^
/home/dev/release.z/zig-linux-x86_64-0.14.0/lib/std/start.zig:271:5: 0x112689d in _start (test)
    asm volatile (switch (native_arch) {
    ^
???:?:?: 0x0 in ??? (???)
error: the following test command crashed:

Expected Behavior

Return an error (as the unzstd command does)

[squeek502]

cc @dweiller

[squeek502]

Likely caused by ac1b957

My (uneducated) guess is that there's a missing > block_size_max or > literals_buffer.len check somewhere (or literals_buffer isn't large enough?).

EDIT: Actually, literals_buffer was heap-allocated with the same length before ac1b957, so something else is probably happening.

EDIT#2: This commit seems more likely to be a potential cause: 63fa151