diff options
author | Alexey Tourbin <alexey.tourbin@gmail.com> | 2018-04-22 22:43:30 (GMT) |
---|---|---|
committer | Alexey Tourbin <alexey.tourbin@gmail.com> | 2018-04-22 23:13:49 (GMT) |
commit | ab06ef97bb5bb50f642add1e80854a09c3d38068 (patch) | |
tree | f7682234ceaebb92935573c386600488e627fa19 /lib/lz4.h | |
parent | 62d7cdcc741480842a0c217df7cb26ad3946ab32 (diff) | |
download | lz4-ab06ef97bb5bb50f642add1e80854a09c3d38068.zip lz4-ab06ef97bb5bb50f642add1e80854a09c3d38068.tar.gz lz4-ab06ef97bb5bb50f642add1e80854a09c3d38068.tar.bz2 |
lz4.h: clarify the risks of using LZ4_decompress_fast()
The notes about "security guarantee" and "malicious inputs" seemed
a bit non-technical to me, so I took the liberty to tone them down
and instead describe the actual risks in technical terms. Namely,
the function never writes past the end of the output buffer, so
a direct hostile takeover (resulting in arbitrary code execution
soon after the return from the function) is not possible. However,
the application can crash because of reads from unmapped pages.
I also took the liberty to describe what I believe is the only sensible
usage scenario for the function: "This function is only usable if the
originalSize of uncompressed data is known in advance," etc.
Diffstat (limited to 'lib/lz4.h')
-rw-r--r-- | lib/lz4.h | 12 |
1 files changed, 7 insertions, 5 deletions
@@ -206,15 +206,17 @@ LZ4LIB_API int LZ4_compress_destSize (const char* src, char* dst, int* srcSizePt /*! LZ4_decompress_fast() : **unsafe!** This function is a bit faster than LZ4_decompress_safe(), -but doesn't provide any security guarantee. +but it may misbehave on malformed input because it doesn't perform full validation of compressed data. originalSize : is the uncompressed size to regenerate Destination buffer must be already allocated, and its size must be >= 'originalSize' bytes. return : number of bytes read from source buffer (== compressed size). If the source stream is detected malformed, the function stops decoding and return a negative result. - note : This function respects memory boundaries for *properly formed* compressed data. - However, it does not provide any protection against malicious input. - It also doesn't know 'src' size, and implies it's >= compressed size. - Use this function in trusted environment **only**. + note : This function is only usable if the originalSize of uncompressed data is known in advance. + The caller should also check that all the compressed input has been consumed properly, + i.e. that the return value matches the size of the buffer with compressed input. + The function never writes past the output buffer. However, since it doesn't know its 'src' size, + it may read past the intended input. Also, because match offsets are not validated during decoding, + reads from 'src' may underflow. Use this function in trusted environment **only**. */ LZ4LIB_API int LZ4_decompress_fast (const char* src, char* dst, int originalSize); |