void_core/shard/

reader.rs

//! Shard reading — decompression and manifest-driven file access.

use super::writer::read_padding_info;
use crate::metadata::ManifestEntry;
use crate::{FileContent, Result, VoidError};

/// Maximum allowed decompressed body size (1 GB).
///
/// This prevents decompression bomb attacks where a small compressed
/// payload expands to consume all available memory.
const MAX_DECOMPRESSED_SIZE: u64 = 1024 * 1024 * 1024;

/// Decompressed shard body for manifest-driven file access.
///
/// Use with `ManifestEntry` offsets instead of parsing shard-internal metadata.
/// Created via `DecryptedShard::decompress()`.
pub struct ShardBody(Vec<u8>);

impl ShardBody {
    /// Read a file using its manifest entry.
    ///
    /// Extracts the file content at the offset and length specified by the entry.
    pub fn read_file(&self, entry: &ManifestEntry) -> Result<FileContent> {
        let start = entry.offset as usize;
        let end = start
            .checked_add(entry.length as usize)
            .ok_or_else(|| VoidError::Shard("offset+length overflow".into()))?;
        if end > self.0.len() {
            return Err(VoidError::Shard(format!(
                "file '{}' range {}..{} exceeds body size {}",
                entry.path, start, end, self.0.len()
            )));
        }
        Ok(self.0[start..end].to_vec())
    }

    /// Total decompressed body size in bytes.
    pub fn len(&self) -> usize {
        self.0.len()
    }

    /// Check if the body is empty.
    pub fn is_empty(&self) -> bool {
        self.0.is_empty()
    }

    /// Access the raw decompressed bytes.
    pub fn as_bytes(&self) -> &[u8] {
        &self.0
    }
}

/// Decompress a shard's body.
///
/// Implementation detail of `DecryptedShard::decompress()`.
/// Strips padding (if present), then decompresses the zstd data.
pub(crate) fn decompress_shard_body(data: Vec<u8>) -> Result<ShardBody> {
    let data = if let Some(padding_size) = read_padding_info(&data) {
        &data[..data.len().saturating_sub(16 + padding_size)]
    } else {
        &data[..]
    };

    if data.is_empty() {
        return Ok(ShardBody(Vec::new()));
    }

    let decompressed = decompress_bounded(data, MAX_DECOMPRESSED_SIZE)?;
    Ok(ShardBody(decompressed))
}

/// Decompresses zstd data with a maximum output size limit.
///
/// Uses streaming decompression to enforce the limit during decompression,
/// preventing memory exhaustion attacks where a small compressed payload
/// expands to consume all available memory (zstd bomb).
///
/// # Errors
/// Returns `VoidError::Shard` if decompressed size exceeds the limit.
/// Returns `VoidError::Compression` if decompression fails.
fn decompress_bounded(compressed: &[u8], max_size: u64) -> Result<Vec<u8>> {
    use std::io::Read;

    let mut decoder = zstd::Decoder::new(compressed)
        .map_err(|e| VoidError::Compression(e.to_string()))?;

    let initial_capacity = std::cmp::min(compressed.len().saturating_mul(4), max_size as usize);
    let mut output = Vec::with_capacity(initial_capacity);

    const CHUNK_SIZE: usize = 64 * 1024;
    let mut buf = [0u8; CHUNK_SIZE];

    loop {
        let bytes_read = decoder
            .read(&mut buf)
            .map_err(|e| VoidError::Compression(e.to_string()))?;

        if bytes_read == 0 {
            break;
        }

        if output.len() + bytes_read > max_size as usize {
            return Err(VoidError::Shard(format!(
                "decompressed size exceeds maximum {} bytes",
                max_size
            )));
        }

        output.extend_from_slice(&buf[..bytes_read]);
    }

    Ok(output)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn decompress_bounded_stops_at_limit() {
        let data = vec![0u8; 1024 * 1024];
        let compressed = zstd::encode_all(&data[..], 3).unwrap();
        let small_limit = 512 * 1024;

        let result = decompress_bounded(&compressed, small_limit);
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("exceeds maximum"));
    }
}