From 7e33a861f04d6caaea6c69f1a5133c1015a34c06 Mon Sep 17 00:00:00 2001
From: silverweed <giacomo.parolini@cern.ch>
Date: Wed, 6 May 2026 17:40:08 +0200
Subject: [PATCH 1/2] [tree] In TBasket/TBranch, error out if reading oob in
 the streamer

---
 tree/tree/src/TBasket.cxx | 34 +++++++++++++++++++++++++++++++---
 tree/tree/src/TBranch.cxx |  8 ++++++++
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/tree/tree/src/TBasket.cxx b/tree/tree/src/TBasket.cxx
index a77855a498986..cd257ce9da8ba 100644
--- a/tree/tree/src/TBasket.cxx
+++ b/tree/tree/src/TBasket.cxx
@@ -1005,16 +1005,44 @@ void TBasket::Streamer(TBuffer &b)
          flag -= 80;
       }
       if (!mustGenerateOffsets && flag && (flag % 10 != 2)) {
+         // NOTE: fNevBuf is the number of entries stored in the basket, while fNevBufSize is the capacity of the
+         // fEntryOffset and fDisplacement arrays.
+         if (fNevBuf > fNevBufSize) {
+            Error(
+               "Streamer",
+               "Inconsistent length for the entry offset buffer (%d events for a buffer size of %d). Refusing to deserialize.",
+               fNevBuf, fNevBufSize);
+            MakeZombie();
+            return;
+         }
          ResetEntryOffset();
-         fEntryOffset = new Int_t[fNevBufSize];
-         if (fNevBuf) b.ReadArray(fEntryOffset);
+         if (fNevBuf) {
+            // Alas, ReadArray will read the number of elements to store into fEntryOffset from the file, but it
+            // has no way of knowing whether we're passing a large-enough array.
+            // Therefore we prevent the problem altogether by ignoring fNevBufSize and just having ReadArray allocate
+            // the buffer for us. This way we are sure that it will be of the correct size even if the file contains
+            // corrupted data.
+            fEntryOffset = nullptr;
+            auto nElemsRead = b.ReadArray(fEntryOffset);
+            if (nElemsRead != fNevBufSize) {
+               Error(
+                  "Streamer",
+                  "Inconsistent length for the entry offset buffer (expected %d elements, read %d). Refusing to deserialize.",
+                  fNevBufSize, nElemsRead);
+               MakeZombie();
+               return;
+            }
+         } else {
+            fEntryOffset = new Int_t[fNevBufSize];
+         }
          if (20<flag && flag<40) {
             for(int i=0; i<fNevBuf; i++){
                fEntryOffset[i] &= ~kDisplacementMask;
             }
          }
          if (flag>40) {
-            fDisplacement = new Int_t[fNevBufSize];
+            // ReadArray will allocate this for us.
+            fDisplacement = nullptr;
             b.ReadArray(fDisplacement);
          }
       } else if (mustGenerateOffsets) {
diff --git a/tree/tree/src/TBranch.cxx b/tree/tree/src/TBranch.cxx
index a44cf713d1916..6e1edd13dc3b4 100644
--- a/tree/tree/src/TBranch.cxx
+++ b/tree/tree/src/TBranch.cxx
@@ -3136,6 +3136,14 @@ void TBranch::Streamer(TBuffer& b)
       }
       fBasketEntry = new Long64_t[fMaxBaskets];
       b >> n;
+      if (n > fMaxBaskets) {
+         Error("Streamer",
+               "Inconsistent number of baskets. This basket cannot be read. Read %d for the actual number of baskets "
+               "while we read %d as the value of fMaxBaskets.",
+               n, fMaxBaskets);
+         MakeZombie();
+         return;
+      }
       for (i=0;i<n;i++) {b >> ijunk; fBasketEntry[i] = ijunk;}
       fBasketBytes = new Int_t[fMaxBaskets];
       if (v > 4) {

From c789f0f0a8deca15f216bdb39895c7e5c12f2d1d Mon Sep 17 00:00:00 2001
From: silverweed <giacomo.parolini@cern.ch>
Date: Thu, 7 May 2026 13:39:21 +0200
Subject: [PATCH 2/2] Add integration test for TBasket

---
 roottest/root/tree/basket/CMakeLists.txt |   8 ++++++++
 roottest/root/tree/basket/corrupted.root | Bin 0 -> 5800 bytes
 2 files changed, 8 insertions(+)
 create mode 100644 roottest/root/tree/basket/corrupted.root

diff --git a/roottest/root/tree/basket/CMakeLists.txt b/roottest/root/tree/basket/CMakeLists.txt
index e4fdc3ac7555e..961c7ad24ffc0 100644
--- a/roottest/root/tree/basket/CMakeLists.txt
+++ b/roottest/root/tree/basket/CMakeLists.txt
@@ -8,3 +8,11 @@ ROOTTEST_ADD_TEST(basket
                   MACRO rundropbasket.C
                   COPY_TO_BUILDDIR DataTest3_cel.root
                   OUTREF dropbasket.ref)
+
+# corrupted.root contains a TTree "tree" with a corrupted TBasket that has fNevBufSize == 4 and fNevBuf == 4210752.
+# Since fNevBuf is much larger than fNevBufSize this would cause oob reads unless TBasket properly validates this.
+# Verify that it does.
+ROOTTEST_ADD_TEST(corrupted_basket
+                  COPY_TO_BUILDDIR corrupted.root
+                  COMMAND ${ROOT_root_CMD} -q -l -e "(new TFile(\"corrupted.root\"))->template Get<TTree>(\"tree\")->GetEntry(0)"
+                  PASSREGEX "Inconsistent length for the entry offset buffer \\(4210752 events for a buffer size of 4\\)")
diff --git a/roottest/root/tree/basket/corrupted.root b/roottest/root/tree/basket/corrupted.root
new file mode 100644
index 0000000000000000000000000000000000000000..c5cc790571f868914b9a179bc3dd7fcdb803b01f
GIT binary patch
literal 5800
zcmeHLWl)^KmYu<EfZzdwyCwt;ZovWs3oe5X4nuGT3lb~@3&8^<3<JU42X_hX9w4|R
zczBcSR=s+)yS4Af{@kuQ-Ti%i`}XbIefr1oaCP+r0IqES0Dv_BKmkX=4b>M#0f>SG
z2C700VmJT*Bv=5TYjRUtB%|DVsh`yA@eR8tsL_9`_yGPmQVmppAO_(3>lw8g0D!6c
z9O7g{;0E?}as^xSdHf0HU%vpDf99a@3S}OFf&>bG=K=ueoBwM-y6F2Tdt%gl9e@I=
z_a9~PKU-^TT{$q+(Z&-9!SM93u>qh10D*tTFaR<#GN@MfPYxje3ZT)Sy`W?K^~v>T
zFTlqr3u{bWU6hNze*RWQFL2m_01R}14=_%<LKR(>IIzjv9w#aio|`b~wX2P5h(-Y%
z)D4wOAT3jQ@D1;Z9ACOCsQkfgaKVE%hLd4yJCI#;M$>}t&GP=i0vKIjRS>Z47En7r
zuw7L-8KR26yz*8x06=8TohMA0NW)|CUg>eE&BT*Sm6z?^Ua7pyO}9SW7)G!BIxi2G
z<xd-fT3(*|Pyt#a+qWFc7|zWO;Hn{?>~P(<4aMk2*d}`IC>k|sD^?Yn9Urlm4j`7J
z7_#F7aGT*n$i~E~4zF0F1&6eQ%jchkF;@3Sv-*d~=zhpm$I;XT8f#=f*Pe;=yvNJ7
zdfzPH+@wm<)(F%F?o4_gZ|d|tdz#)C*q&}NpFRA-A@v~Ae0YFH7qdazgVUQyWATRY
zg6KEeN|Z<?Dv$rntR8?1fCd1dMgM<h|1UC&Vh-xg0u280=r8|J-1&QF|11Ac|52I$
zchBNqEOk()_CNCB?*oF0LWC0)g&siWkL90d<qvaSK%kxkIw%T)oozf+Tx?xQ6kK0h
zI{7j<L0lYdtWgcr6UC>N2LMhH6rYBT9TRA0^rRN%r=(a7VH_UoeOYk_rv0hBq-tK9
zB_EfjqKzs~sSlJ@dFHf7hYprf{l4fgNjA;TzEwhFpM6UTX79mevB^bKe4q`aJVKB~
zblk3Dw_Rb9Npm3Js#=Oj`u2eB#f7JJcJ%3Q-^kDWI^XlkIm(6}Hf+1s$-G<944jmo
z_VN#LdAHpA%0$^}OHWV2_>8$@Y4qF6kR3w78UEF}GK1KZy!ulj{xwqXym7139|61T
z*0lbPxAPp%gF2T~I-MWP2DLt(l5~6PLug>dlQAoW>D5v8{wI*!B3ceU&bm!j+4XC!
zeLt7DqeiXWJg&k+QFF=7FS68#J0A$Ozst>y^!1$PoQPi`8>OvVexb~!NYrxoiEqeD
zGMtMAVyx&S$TP~xNxt9iErM}j+LC&>Qspi;e)mHqflu={$)fm#1V2~4ye@h9tUUhP
z2?N2=CjCqpi;K+RU7Psvwe2P!wFfKX#Y4ur6*iHsN8)SUA9S0I>0M-;@0Hqa%V@N$
z=32)1W^zqTj49U47_dRv<Nzz-U|`S}EL(*2#l%ksm2Q{KCe;<jyoGWiixp3rv>1mN
zB|7mOil|bNzALu)Hf2Is8SYo#jOkqS*l$HbQ3tr0KA(&o6M0TdMc@r|X=c$aM!vW+
zteEOLE@BA2UM`hT_;XXs>vZHfE7DW%v1C^7xl=h$8r=~=(stqMH+30Rf&w)(72JZH
zN=DEP{&F+|2i|0?eewg6e2lK2HpR<cN>w>1_bV?UaFMO4Q<`o%iB<kGTVgG&74~am
z-0VrUqntlP@&I-pi%0R{n^vvEAtJMB19zl*<dI}!uJ%%>Grr?ys!>A=$&}hBE@Eee
zEBMl07VHVJ4t`Oo&ze+2DANzM={~M~nFP3pZgF|TTto}y&6fq?W|MXc!9a~ZWQuUH
zw6hM~Ddm9KflqG7fI-Zhd&~6X%@$R34pxm~1TwA&ditKRjbl?1e8ui`diT3%EBXT>
z@Ot&SqR~XZ<}}^FTNuv~s#U#++3)%=u?)Yz45xqFInn>tYT)7rn9Drp;!fc+6yfDr
zOHlwE0*+8lu-3|0CQp0fi~M9zvz0}#=c;kNR(rjo?=EtBSu1-1lD!a;-JaX=y4KW`
z?`OPBGIQ1%uC}&xX?m;{gVt578!U>Jr!1qGmc%vCJJ}UB@hGF~WeQRd>z8xy^4pHZ
zF<sCNdoy>B5q%Hj<yU=PQil@Zr-)e2tT_Y1bq~pN%NSEr!}Ex>Ir23_9*M!-<9LF^
zoq@oNFtq&KVH+xUw|s7bGHQYujLw))@O0_|Uys|fsEI~OK8ze4A{!3vk5(j$mS$9O
z?)*htx)C*q=O;#W_N}gCw_kF7jmLDI1;eE9b3m66DR9_9M^>1Yv9?g%)#D7Sr72Nm
z9f=U7*X2JwB{Ix)ZQ6tzhFVoyO1PGoV7&~#AIaXD%F-@GMZPJ4?^O{PW?XxXod!TB
zuTOa2+$o~p;G^9{w`W&?iLRfjQ0sz`bS`m|P6RSb$-Y1MFjc5|d(5UlVGapiUxTGh
zj`So+`!SGaXA7a4;uP#o0d-emj@rc%9>T5`+0gA~7V^~6icmin!wh<7J36*J_HtLT
zaggod46wSnYB+S4>XXcQA&C0-gZMU0Lf8tiS$17TytRSv?NCW)Lv~yFlL2mip$B`x
z7EcU9*kV$e!*^EtPw0V!9dZ5CN}}hfo;$C1#~@Aeoxk^Q-M2o!u8$+FIxBS@nX_<|
z=dChP{~F<lUBwtRi>0Hs?k8m6z7gsno!t?i;CSYI(SLQdKAzuAF^o1ok5&G#N{J9Q
ziuXN}U1~@3VP4&^tc@XSC5?h$$fG0YRuDziEYWbOko`8gC@h}#_KRGJ#Z&l7j?QEC
z{;=NAw9Y!4uj9B+IpBJsDY<A+huPJLZ>f!nC&o18?bOe_GLNCc^}rwjg2&;knzpgW
z=QTL$rv0HnQC0hJV%;VzOIv5;r#)k$oC8HRH^2b`H2+`?-iJK$1<%UTOhic=7sI&=
zTgpol#VPVcF~M%CrtWLP>vRysxtNVF#z9)4XI7YbF%cGTX-%?7LmOl~o7n1=`YHuj
z(rsrZZBOosLGv~Ay+R(x88|hWG!mOt+q~7!<Dvw%pU)z+VzD3V)Cm1To_zf3+f-%$
z-P$+Bx7k5PVRMy>m{@aGg6{YoGf8-cq{HNU#`cTUiq%18{cr>x_vn6)Qf<T-34Z|h
zZrdX)DXS#9b4}J~Yo{tPwKD}~y*f!hf<u%O;j|Xti|pwbnL8Hu2*2@DDf1`l$Ye4t
z_JPJ3t%x+Zf=p=8M2h(N<?%(CEX?bploZ|Ln;s0gX$67!=>bIkX0GkDYnNOgU|*Jc
zY5V5KA)=3qAZ;N@@@g1qFZ7_FH9p3GCC2`kFMj*24oP8wIgy~Ws=}QU+yd&wd_tCN
zTALM7<s%v{S!a6RmqTCeYTZw3@k!9mJV6NEimF4*<JjLwdBra2@JuYJW}%=Y6pxJa
z7@eGSoaGlytf@M{ymc&B+zfg0baVBhV9ee5*}?-|CL&==92M=@#@rB%b6OYs3R<#?
z#i?6~u0;0)0%&_o_JKWN!`OZGU^ftKtLi|DNT4;jLc4zdUH>hPd@cn8My6!#%xdXi
zO~%FqVfB7@>#lGpK-geYS-BTkUXn;&$-7stUN@Q(s_&)GschQER8p@J{Z`yvKR+#N
z$#hnny)V<)(SF2~V&nkw4Q)H!S3y8U4*S4vJX_DNGVAq%Ou8YquNtM3?>k}X7-4y-
zLe|3k$I+22vWDMvBrLw4weC)T-~r1}KKoLUP#Uf}p?pb3-?}9@f|25>GGVYaF#-uT
zl)MlYypXQOy%77V%4YY2EDHAKS4sW-;z-~c4IM}4-F6>x>Y>(R=7!+rnMn9elab28
zq2d@L<AV@IxSH7GcV;g3bb)3*)pbRxV=uWGU$D(Ifn0f3LDS=!bx_WU@#wWg=Nk`O
zZw#<N;m2@IX119{$)smrn4Jc8Jp1#}wEEAt4L#gGtD%V*kIWGt5=HWKei5hLBaLRB
ztrL702&3}lWRVRTBUTwZie@>iVXas$E+o32XU=R|ZP-?9?sLef#m5jJ%Xgplv<S&W
z8^_gJNF`UwfOT;=UAd`t&Tc8T&e|`GS0lDq`LRydq#-z`Yb&IiU->tl-q}VJF2Js)
zj@BH-$8Plmv6t5z4}2~jH=vEH{kdq;NP#hIlgzhqZ}<|!VEPJjO6k-x63iMI1D!2%
zxa@awHF+-|$|diF$2>R{QPUIr9#a4L+sEeP=ezeNbg<b-t2Z*q<o@QV)LZz3XeM_<
zS&6rHl-4Vcv+e}MF!MfquCm)7Ijn@1(i^<;nrk;AF<=e(nFey~l13-wUOFIB>nUK_
z?-$5n^D7)-bz2&%-WWB>a!{y}E0iSEoY|m?&r_M4^z3(#*jxl{2L=vFuJ5<ADlz14
zXvQZr4tTU$b|8y8A}QYxHM}U!8uw`*v3L8Sxcy`RuIKS0?<(o`vIu|W@s2Mrzc{sF
zwt8iz=&I>O1YI=bbt}HsB<M5ZrBSj=&^L;<&E}e8QW3R%>W6NjT?I~weLukz;+nPm
z)E(R5<)!G-Y3$AAv{)RP79}g$;pPEKME88x_14O!#M<|DtOlEbT{<;qQb|`XkBHV4
zC@p%7eI?`B0$~=_Cegg=&d=?dw7-{8lbI*ei6|f%7VV3P1FQ%0ibuqkLIsW;vBn2O
zcUWZw?apk*MhDs>#brGw6fJbIS!M0?v7yl`16c8N0RzLQ7Df-W9-51+Hx3dpkuz@|
z=njE1=nY|GHBmH>MHYyHo!oV0)OunRlgK?N?TY^@O>tqiI^*CX1C)h(k03UuSZ_Fa
zVi~1&61dOvAvHEmwz1VP+bK_0kv)N7U$zmszY=4gmUJ%e6q73EfSGqhZM{NaZ6q)4
zti~cQ+?g_`bk^rdf)fg%=}gR@v5;+Sa_F#?(NapW3@yzs#ltUj&Q-rxEK<Wh6=mlp
zH|zcM(_50%71Um*?$yIbXi^R&^k{~Qk_rw=m+0^)mX3idR9>-n4bWRNmERVu$G?kj
z><j4NU|Te!_J6j$&Bs}mXPJG(Ug4cA8(Oz?W+tx`EKPRQ!n+$W*(|MQUVnMlbfSVm
zBkB4{DDxtF?_fk+JZrzXGc)Qedra75chZ5cZ9#wYUHr+Ymaa^q2d#w-Fw@X;`RQvc
z%0Zxn$QHRgjnh=1zUF*gl|rVD%tvI}Oxh(ESymq}Bh9fUhES>gyNrB|^r!k@z1xz?
z?E3ynE~sj$T-FUV>*dVU>B&%70?RdTF5&XUD{7{JWhm1?t)AbIn?MP4?9yE@g2kU6
z^1)gf%zfL2(^*OlnePrY*{z}M&Yx#DS`MQ(L2}^M_zsbrOPI`lwYZ9B%`@JAU)keD
z!seV@>cmX}z~FbKaR$B**V1Mo@t&OC*4Qmg8(C0G@nGgW3p^5O<!=;w#6+xIP(5Kn
zh&$Y)UW=cl4O@BnThjwi;hrsQhu^75Xmym0-4}P@qKExkeS8Xs?KuyU%GZxT5<^;a
zvzy)`usPaB?S|fKi3ywSvJ))_kUokez~g4^evL8u$O<<l-;ei^{K7_MwN6QQEMH9&
z*=IQZd!~7r{wxr7>voFouwwm}18X+7q=3h+RYR`5@zq`5ja@mTJ34y2tUGLhdAXa(
z{roF4>vE~IhAaMK`)Su@Y0*P8n}9(_reLV>>jGaS0%AM$q*%E}q=JFi+mMOdj8<8_
zCpPj#uLKmmX!OR-U5^MCQp^q_&I9gexWK_{XD0AZ7u3)6KX1o+$%hF%#0>iRAt-|X
z=cf~qajJ+2Skcm06vHuK4`?%Bz?LoGDao)MdBDR5AMB%ufKSP+(j&>sh;+V*u@DXi
zdV4se3(x-M4mg#(@e($VO1W8xI2<sK8E!7@w+?n>R-5z2tIN~u?0yybt471LEV<yx
zq#@pb!Bj9_PMoB;^qFSRS@E10eU+4Rn2%qsl(v$;{IzG@5_<;E$9KVdk~kn6v$iol
zmfD9rr;36;l)Xf`X%tj-{bo4{#)y&_JAa?7I<HP&u*(<BVDYyt%=g%LZ)3kMc)qsG
z;eS~6s=!r~TdZ;jL8HMjG}sU^-C)I(Q~RcflTKT6K<a}I!?nFUQEt<`jeMo7U*y<2
zPyEIyvX%!{)uT$^c03Zak&=xT4fP4b-U_M?nve}6-1;iryimX*ps#^YzkR=Gd)hYa
z|FM;c@kJj@Rb_DmRy&1Wb$V)6%#vL!zR`I};tXkzNY`@^wj5~_d;=Mg#+#6`ewT=}
zRl6SGwlnXEeDXX~x(9#t<5`$jwtH%ueD)F|6k6zDT%=#@_sF@Q+uZ2qdNdDJZ<irn
zf}GJtDY)&^JVg|2DQeevbM?ob0O!`U3+Qr`K^GYvW%%y?BrNhv>$pkjYJ9Px{<N0e
zoQgLm9`_tqr~#Ojm*&@gkl5^b$aGv6-k0b>D8QMYCK)JJ&xJoAuRcd|>hb&5LB0FJ
zUgh`&yuUNXUZn-S65aL$KzgUqdTX9(HCa~vEkPq!V-Cmba&!k1E)8|~Wgy@c9rV#q
z5t_kYF%UL5T?*!O0Wba*Uv-7dc$Hd2#I9?C@nj1trz}ZjCOQWO+19aXApSiv*9S)&
zgkJ&8+iE_*`Q<b1rrN4jw|ki7gs{Cn&7RuTyLkz^U)y<l<eErI#D0oSUDx(p03&rY
z%oB0jN3Qa0VuXC_7Acj(jfP#oV_}PvnnQ<cP?6(@BR)5%n9Cib@r-q(qlxXhyGW!}
z)%d<FT!6YvHT^<!THf$-D_AUu<13@i)0EX|*V$&@B=kMpf}M(XMntcT(6Cug7o1>7
zi^t;~rCxelT`2kCaWmWVQM!QhK4|{;7F=s)&%L+fag>wqI_7mJyLRvodq$UVFUI8~
z2_<)7ut}RNzhYUXU#mV#JvV0}kr!{{PQItk8jC_NLPmr0?=kBnop4clkLX`53h$p<
X)L+FJr2_poS`<nnqJVn~B?JBezwMPS

literal 0
HcmV?d00001