Illumos #4936 fix potential overflow in lz4
4936 lz4 could theoretically overflow a pointer with a certain input Reviewed by: Saso Kiselkov <skiselkov.ml@gmail.com> Reviewed by: Keith Wesolowski <keith.wesolowski@joyent.com> Approved by: Gordon Ross <gordon.ross@nexenta.com> Ported by: Tim Chase <tim@chase2k.com> References: https://illumos.org/issues/4936 https://github.com/illumos/illumos-gate/commit/58d0718 Porting notes: This fixes the widely-reported "20-year-old vulnerability" in LZO/LZ4 implementations which inherited said bug from the reference implementation. Signed-off-by: Richard Yao <ryao@gentoo.org> Signed-off-by: Tim Chase <tim@chase2k.com> Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov> Closes #2429
This commit is contained in:
parent
4240dc332d
commit
ee4712284c
@ -907,6 +907,9 @@ LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize,
|
||||
}
|
||||
/* copy literals */
|
||||
cpy = op + length;
|
||||
/* CORNER-CASE: cpy might overflow. */
|
||||
if (cpy < op)
|
||||
goto _output_error; /* cpy was overflowed, bail! */
|
||||
if ((cpy > oend - COPYLENGTH) ||
|
||||
(ip + length > iend - COPYLENGTH)) {
|
||||
if (cpy > oend)
|
||||
|
Loading…
x
Reference in New Issue
Block a user