zstd icon indicating copy to clipboard operation
zstd copied to clipboard
verified publisher icon facebook

CLI: Hang bomb with with crafted circular symbolic link causes "zstd -d -r -f" to infinitely loop. "pigz -d-r -f" skips symbolic links with non compressed suffix

Open gcflymoto opened this issue 1 year ago • 0 comments

Describe the bug When recursive decompression is used with -f to force, as the documentation states, it operates on links. However, the behavior of how it operates on links is different from other decompressors, including pigz

To Reproduce Create a deeply nested cyclical soft link. (For security reasons I am not providing the reproduction to cause the bomb)

zstd -d -f -r --verbose crafted_hang_bomb_circular_soft_link *** Zstandard CLI (64-bit) v1.5.6, by Yann Collet *** (infinite hang)

While pigz exits with an appropriate error

pigz -d -f -r link pigz: link does not have compressed suffix -- skipping

Expected behavior Behave like pigz and skip soft links without the right suffix

Desktop (please complete the following information):

  • OS: SUSE
  • Version: SLES12SP5
  • Compiler: clang
  • Build system: Make

gcflymoto avatar Jun 26 '24 16:06 gcflymoto