summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYann Collet <Cyan4973@users.noreply.github.com>2018-04-26 23:47:50 (GMT)
committerGitHub <noreply@github.com>2018-04-26 23:47:50 (GMT)
commit00909b27b1acaa22f02cfcb8dd7798c7638046e4 (patch)
tree065377c61cb2715940a216cb1059fad209d8be5c
parent3eb3ed26e101caf2f652e6e03ad83614b6b53af0 (diff)
parenta2edeac201a7c1c7869d3754cd4dd5d49997357e (diff)
downloadlz4-00909b27b1acaa22f02cfcb8dd7798c7638046e4.zip
lz4-00909b27b1acaa22f02cfcb8dd7798c7638046e4.tar.gz
lz4-00909b27b1acaa22f02cfcb8dd7798c7638046e4.tar.bz2
Merge pull request #518 from felixhandte/fix-517-dict-size-truncation
Limit Dictionary Size During LZ4F Decompression
-rw-r--r--lib/lz4frame.c25
1 files changed, 21 insertions, 4 deletions
diff --git a/lib/lz4frame.c b/lib/lz4frame.c
index b616463..4d6d39c 100644
--- a/lib/lz4frame.c
+++ b/lib/lz4frame.c
@@ -1502,11 +1502,19 @@ size_t LZ4F_decompress(LZ4F_dctx* dctx,
} }
if ((size_t)(dstEnd-dstPtr) >= dctx->maxBlockSize) {
+ const char *dict = (const char *)dctx->dict;
+ size_t dictSize = dctx->dictSize;
+ int decodedSize;
+ if (dict && dictSize > 1 GB) {
+ /* the dictSize param is an int, avoid truncation / sign issues */
+ dict += dictSize - 1 GB;
+ dictSize = 1 GB;
+ }
/* enough capacity in `dst` to decompress directly there */
- int const decodedSize = LZ4_decompress_safe_usingDict(
+ decodedSize = LZ4_decompress_safe_usingDict(
(const char*)selectedIn, (char*)dstPtr,
(int)dctx->tmpInTarget, (int)dctx->maxBlockSize,
- (const char*)dctx->dict, (int)dctx->dictSize);
+ dict, (int)dictSize);
if (decodedSize < 0) return err0r(LZ4F_ERROR_GENERIC); /* decompression failed */
if (dctx->frameInfo.contentChecksumFlag)
XXH32_update(&(dctx->xxh), dstPtr, decodedSize);
@@ -1538,10 +1546,19 @@ size_t LZ4F_decompress(LZ4F_dctx* dctx,
}
/* Decode block */
- { int const decodedSize = LZ4_decompress_safe_usingDict(
+ {
+ const char *dict = (const char *)dctx->dict;
+ size_t dictSize = dctx->dictSize;
+ int decodedSize;
+ if (dict && dictSize > 1 GB) {
+ /* the dictSize param is an int, avoid truncation / sign issues */
+ dict += dictSize - 1 GB;
+ dictSize = 1 GB;
+ }
+ decodedSize = LZ4_decompress_safe_usingDict(
(const char*)selectedIn, (char*)dctx->tmpOut,
(int)dctx->tmpInTarget, (int)dctx->maxBlockSize,
- (const char*)dctx->dict, (int)dctx->dictSize);
+ dict, (int)dictSize);
if (decodedSize < 0) /* decompression failed */
return err0r(LZ4F_ERROR_decompressionFailed);
if (dctx->frameInfo.contentChecksumFlag)