[1/3] lz4: refine commit 9143a6c55ef7 for the 64-bit case
diff mbox series

Message ID 4d783acc-35be-1b6d-00c7-f1ce88abdbcc@suse.com
State New
Headers show
Series
  • lz4: misc fixes / adjustments
Related show

Commit Message

Jan Beulich Dec. 5, 2019, 7:30 a.m. UTC
I clearly went too far there: While the LZ4_WILDCOPY() instances indeed
need prior guarding, LZ4_SECURECOPY() needs this only in the 32-bit case
(where it simply aliases LZ4_WILDCOPY()). "cpy" can validly point
(slightly) below "op" in these cases, due to

		cpy = op + length - (STEPSIZE - 4);

where length can be as low as 0 and STEPSIZE is 8. However, instead of
removing the check via "#if !LZ4_ARCH64", refine it such that it would
also properly work in the 64-bit case, aborting decompression instead
of continuing on bogus input.

Reported-by: Mark Pryor <pryorm09@gmail.com>
Reported-by: Jeremi Piotrowski <jeremi.piotrowski@gmail.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Tested-by: Mark Pryor <pryorm09@gmail.com>

Patch
diff mbox series

--- a/xen/common/lz4/decompress.c
+++ b/xen/common/lz4/decompress.c
@@ -147,7 +147,7 @@  static int INIT lz4_uncompress(const uns
 				goto _output_error;
 			continue;
 		}
-		if (unlikely((unsigned long)cpy < (unsigned long)op))
+		if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE - 4)))
 			goto _output_error;
 		LZ4_SECURECOPY(ref, op, cpy);
 		op = cpy; /* correction */
@@ -279,7 +279,7 @@  static int lz4_uncompress_unknownoutputs
 				goto _output_error;
 			continue;
 		}
-		if (unlikely((unsigned long)cpy < (unsigned long)op))
+		if (unlikely((unsigned long)cpy < (unsigned long)op - (STEPSIZE - 4)))
 			goto _output_error;
 		LZ4_SECURECOPY(ref, op, cpy);
 		op = cpy; /* correction */