d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

4936 lz4 could theoretically overflow a pointer with a certain input

Browse Source 
Reviewed by: Saso Kiselkov <skiselkov.ml@gmail.com>
Reviewed by: Keith Wesolowski <keith.wesolowski@joyent.com>
Approved by: Gordon Ross <gordon.ross@nexenta.com>

illumos/illumos-gate@58d0718061
This commit is contained in:
Xin LI 2014-07-01 21:16:27 +00:00
parent de7933ee7e
commit 7f33857ee0
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
uts/common/fs/zfs/lz4.c
View File

@ -960,6 +960,9 @@ real_LZ4_uncompress(const char *source, char *dest, int osize)
}
/* copy literals */
cpy = op + length;
/* CORNER-CASE: cpy might overflow. */
if (cpy < op)
goto _output_error; /* cpy was overflowed, bail! */
if unlikely(cpy > oend - COPYLENGTH) {
if (cpy != oend)
/* Error: we must necessarily stand at EOF */
@ -1075,6 +1078,9 @@ LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize,
}
/* copy literals */
cpy = op + length;
/* CORNER-CASE: cpy might overflow. */
if (cpy < op)
goto _output_error; /* cpy was overflowed, bail! */
if ((cpy > oend - COPYLENGTH) ||
(ip + length > iend - COPYLENGTH)) {
if (cpy > oend)