On 04.12.2019 08:14, Jeremi Piotrowski wrote:
> Any suggestions how to proceed?
Actually here's a better version (I think).
Jan
lz4: refine commit 9143a6c55ef7 for the 64-bit case
I clearly went too far there: While the LZ4_WILDCOPY() instances indeed
need prior guarding, LZ4_SECURECOPY() needs this only in the 32-bit case
(where it simply aliases LZ4_WILDCOPY()). "cpy" can validly point
(slightly) below "op" in these cases, due to
cpy = op + length - (STEPSIZE - 4);
where length can be as low as 0 and STEPSIZE is 8. However, instead of
removing the check via "#if !LZ4_ARCH64", refine it such that it would
also properly work in the 64-bit case, aborting decompression instead
of continuing on bogus input.
Reported-by: Mark Pryor <[email protected]>
Reported-by: Jeremi Piotrowski <[email protected]>
Signed-off-by: Jan Beulich <[email protected]>
--- unstable.orig/xen/common/lz4/decompress.c
+++ unstable/xen/common/lz4/decompress.c
@@ -147,7 +147,7 @@ static int INIT lz4_uncompress(const uns
goto _output_error;
continue;
}
- if (unlikely((unsigned long)cpy < (unsigned long)op))
+ if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE
- 4)))
goto _output_error;
LZ4_SECURECOPY(ref, op, cpy);
op = cpy; /* correction */
@@ -279,7 +279,7 @@ static int lz4_uncompress_unknownoutputs
goto _output_error;
continue;
}
- if (unlikely((unsigned long)cpy < (unsigned long)op))
+ if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE
- 4)))
goto _output_error;
LZ4_SECURECOPY(ref, op, cpy);
op = cpy; /* correction */
_______________________________________________
Xen-devel mailing list
[email protected]
https://lists.xenproject.org/mailman/listinfo/xen-devel
