Buffer Overflow Can Occur For Valid CHDs (and malicious CHDs)

[CasualPokePlayer]

libchdr currently makes an assumption that any compressed hunk can fit within an uncompressed hunk. This assumption can be wrong however for completely valid CHDs, if they were created with low compression levels (as implicitly some internal compression header/footer could be present along with the possibly not very compressed data). It can also be trivially wrong for any maliciously created CHD, since the compressed hunk length is just something read from the hunk map.

[rtissera]

Can you pinpoint the (single or multiple) code vulnerabilities in source tree ?

[CasualPokePlayer]

libchdr/src/libchdr_chd.c

Line 2606 in 0841ba3

bytes = core_fread(chd->file, chd->compressed, size);

size is not bounds checked, chd->compressed should be reallocated accordingly if size exceeds the buffer size.