Illumos #4936 fix potential overflow in lz4

4936 lz4 could theoretically overflow a pointer with a certain input Reviewed by: Saso Kiselkov <[email protected]> Reviewed by: Keith Wesolowski <[email protected]> Approved by: Gordon Ross <[email protected]> Ported by: Tim Chase <[email protected]> References: https://illumos.org/issues/4936 https://github.com/illumos/illumos-gate/commit/58d0718 Porting notes: This fixes the widely-reported "20-year-old vulnerability" in LZO/LZ4 implementations which inherited said bug from the reference implementation. Signed-off-by: Richard Yao <[email protected]> Signed-off-by: Tim Chase <[email protected]> Signed-off-by: Brian Behlendorf <[email protected]> Closes #2429
author: Dan McDonald <[email protected]> 2014-06-23 22:25:02 -0400
committer: Brian Behlendorf <[email protected]> 2014-07-01 14:10:47 -0700
commit: ee4712284cd6c0532b6fb78e23a3799f4ccdd675 (patch)
tree: 6688b30a21e60a276ed1f6fd2968f6bc82d2564f /module/zfs/lz4.c
parent: 4240dc332d2ca41c31d95a81d9217c1b311666ff (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/module/zfs/lz4.c b/module/zfs/lz4.c
index 497296e35..5c3c6cdb1 100644
--- a/module/zfs/lz4.c
+++ b/module/zfs/lz4.c
@@ -907,6 +907,9 @@ LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize,
 		}
 		/* copy literals */
 		cpy = op + length;
+		/* CORNER-CASE: cpy might overflow. */
+		if (cpy < op)
+			goto _output_error;	/* cpy was overflowed, bail! */
 		if ((cpy > oend - COPYLENGTH) ||
 		    (ip + length > iend - COPYLENGTH)) {
 			if (cpy > oend)
author	Dan McDonald <[email protected]>	2014-06-23 22:25:02 -0400
committer	Brian Behlendorf <[email protected]>	2014-07-01 14:10:47 -0700
commit	ee4712284cd6c0532b6fb78e23a3799f4ccdd675 (patch)
tree	6688b30a21e60a276ed1f6fd2968f6bc82d2564f /module/zfs/lz4.c
parent	4240dc332d2ca41c31d95a81d9217c1b311666ff (diff)