From 691c1159463a04c58720f2c17e624320058edbf1 Mon Sep 17 00:00:00 2001
From: akharlamov <akharlamov@google.com>
Date: Mon, 12 Nov 2018 16:18:01 -0800
Subject: [PATCH] Prevent a crash when receiving a corrupt rdc file

It is possible to read a large value into compSize, and consequently read
a large number of bytes into m_CompressBuffer, which can only hold 64k,
which would lead to a crash.
---
 renderdoc/serialise/lz4io.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/renderdoc/serialise/lz4io.cpp b/renderdoc/serialise/lz4io.cpp
index 185e0e143..6c748d74f 100644
--- a/renderdoc/serialise/lz4io.cpp
+++ b/renderdoc/serialise/lz4io.cpp
@@ -256,10 +256,20 @@ bool LZ4Decompressor::FillPage0()
   bool success = true;
 
   success &= m_Read->Read(compSize);
+  if(!success || compSize < 0 || compSize > (int)LZ4_COMPRESSBOUND(lz4BlockSize))
+  {
+    RDCERR("Error reading size: %i", compSize);
+    FreeAlignedBuffer(m_Page[0]);
+    FreeAlignedBuffer(m_Page[1]);
+    FreeAlignedBuffer(m_CompressBuffer);
+    m_Page[0] = m_Page[1] = m_CompressBuffer = NULL;
+    return false;
+  }
   success &= m_Read->Read(m_CompressBuffer, compSize);
 
   if(!success)
   {
+    RDCERR("Error reading block: %i", compSize);
     FreeAlignedBuffer(m_Page[0]);
     FreeAlignedBuffer(m_Page[1]);
     FreeAlignedBuffer(m_CompressBuffer);