diff options
| author | Yann Collet <cyan@fb.com> | 2017-06-26 18:29:05 (GMT) |
|---|---|---|
| committer | Yann Collet <cyan@fb.com> | 2017-06-26 18:29:05 (GMT) |
| commit | 6ad3a983dbf3a25273e04051d29022c72c469cd5 (patch) | |
| tree | c010e4eb8b3811a97d7c23552bdfc957bd30bcb0 | |
| parent | 2ef4afeebeadae41a83f4cb5702180f8137c30f6 (diff) | |
| download | lz4-6ad3a983dbf3a25273e04051d29022c72c469cd5.zip lz4-6ad3a983dbf3a25273e04051d29022c72c469cd5.tar.gz lz4-6ad3a983dbf3a25273e04051d29022c72c469cd5.tar.bz2 | |
fix #369
The bug would make the bt search read one byte in an invalid memory region,
and make a branch decision based on its value.
Impact was small (missed compression opportunity).
It only happens in -BD mode, with extDict-prefix overlapping matches.
The bt match search is supposed to work also in extDict mode.
In which case, the match ptr can point into Dict.
When the match was overlapping Dict<->Prefix,
match[matchLength] would end up outside of Dict, in an invalid memory area.
The correction ensures that in such a case,
match[matchLength] ends up at intended location, inside prefix.
| -rw-r--r-- | lib/lz4.c | 14 | ||||
| -rw-r--r-- | lib/lz4opt.h | 5 |
2 files changed, 18 insertions, 1 deletions
@@ -280,10 +280,22 @@ static const int LZ4_minLength = (MFLIMIT+1); /*-************************************ -* Common Utils +* Error detection **************************************/ #define LZ4_STATIC_ASSERT(c) { enum { LZ4_static_assert = 1/(int)(!!(c)) }; } /* use only *after* variable declarations */ +#if defined(LZ4_DEBUG) && (LZ4_DEBUG>=2) +# include <stdio.h> +# define DEBUGLOG(l, ...) { \ + if (l<=LZ4_DEBUG) { \ + fprintf(stderr, __FILE__ ": "); \ + fprintf(stderr, __VA_ARGS__); \ + fprintf(stderr, " \n"); \ + } } +#else +# define DEBUGLOG(l, ...) {} /* disabled */ +#endif + /*-************************************ * Common functions diff --git a/lib/lz4opt.h b/lib/lz4opt.h index b346eba..e9e54d8 100644 --- a/lib/lz4opt.h +++ b/lib/lz4opt.h @@ -122,6 +122,8 @@ FORCE_INLINE int LZ4HC_BinTree_InsertAndGetAllMatches ( matchLength = LZ4_count(ip, match, vLimit); if ((ip+matchLength == vLimit) && (vLimit < iHighLimit)) matchLength += LZ4_count(ip+matchLength, base+dictLimit, iHighLimit); + if (matchIndex+matchLength >= dictLimit) + match = base + matchIndex; /* to prepare for next usage of match[matchLength] */ } if (matchLength > best_mlen) { @@ -140,6 +142,8 @@ FORCE_INLINE int LZ4HC_BinTree_InsertAndGetAllMatches ( if (ip+matchLength >= iHighLimit) /* equal : no way to know if inf or sup */ break; /* drop , to guarantee consistency ; miss a bit of compression, but other solutions can corrupt the tree */ + DEBUGLOG(6, "ip :%016llX", (U64)ip); + DEBUGLOG(6, "match:%016llX", (U64)match); if (*(ip+matchLength) < *(match+matchLength)) { *ptr0 = delta0; ptr0 = &DELTANEXTMAXD(matchIndex*2); @@ -224,6 +228,7 @@ static int LZ4HC_compress_optimal ( BYTE* const oend = op + maxOutputSize; /* init */ + DEBUGLOG(5, "LZ4HC_compress_optimal"); if (sufficient_len >= LZ4_OPT_NUM) sufficient_len = LZ4_OPT_NUM-1; ctx->end += inputSize; ip++; |