* [PATCH 3/3] lz4: fix another possible overrun
@ 2014-07-01 21:22 Holger Schurig
0 siblings, 0 replies; only message in thread
From: Holger Schurig @ 2014-07-01 21:22 UTC (permalink / raw)
To: barebox; +Cc: Holger Schurig
Note: this is the same as 4148c1f67abf823099b2d7db6851e4aea407f5ee in
linux-git.
There is one other possible overrun in the lz4 code as implemented by
Linux at this point in time (which differs from the upstream lz4
codebase, but will get synced at in a future kernel release.) As
pointed out by Don, we also need to check the overflow in the data
itself.
While we are at it, replace the odd error return value with just a
"simple" -1 value as the return value is never used for anything other
than a basic "did this work or not" check.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Reported-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Holger Schurig <holgerschurig@gmail.de>
---
lib/lz4/lz4_decompress.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 75cf08b..9f7bf17 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -109,6 +109,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
if (length == ML_MASK) {
for (; *ip == 255; length += 255)
ip++;
+ if (unlikely(length > (size_t)(length + *ip)))
+ goto _output_error;
length += *ip++;
}
@@ -158,7 +160,7 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
/* write overflow error detected */
_output_error:
- return (int) (-(((char *)ip) - source));
+ return -1;
}
static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
--
1.8.5.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-07-01 21:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-01 21:22 [PATCH 3/3] lz4: fix another possible overrun Holger Schurig
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox