diff options
| author | W. Felix Handte <w@felixhandte.com> | 2018-04-26 20:53:40 (GMT) |
|---|---|---|
| committer | W. Felix Handte <w@felixhandte.com> | 2018-04-26 21:18:40 (GMT) |
| commit | a2edeac201a7c1c7869d3754cd4dd5d49997357e (patch) | |
| tree | ebdb525c7ac59ff3364b252cb88c88fca63e3795 /lib/lz4frame.c | |
| parent | bd92689798292f8ab8d2b48f31cd4b49bfa6d87b (diff) | |
| download | lz4-a2edeac201a7c1c7869d3754cd4dd5d49997357e.zip lz4-a2edeac201a7c1c7869d3754cd4dd5d49997357e.tar.gz lz4-a2edeac201a7c1c7869d3754cd4dd5d49997357e.tar.bz2 | |
Limit Dictionary Size During LZ4F Decompression
Fixes lz4/lz4#517.
Diffstat (limited to 'lib/lz4frame.c')
| -rw-r--r-- | lib/lz4frame.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/lib/lz4frame.c b/lib/lz4frame.c index b616463..4d6d39c 100644 --- a/lib/lz4frame.c +++ b/lib/lz4frame.c @@ -1502,11 +1502,19 @@ size_t LZ4F_decompress(LZ4F_dctx* dctx, } } if ((size_t)(dstEnd-dstPtr) >= dctx->maxBlockSize) { + const char *dict = (const char *)dctx->dict; + size_t dictSize = dctx->dictSize; + int decodedSize; + if (dict && dictSize > 1 GB) { + /* the dictSize param is an int, avoid truncation / sign issues */ + dict += dictSize - 1 GB; + dictSize = 1 GB; + } /* enough capacity in `dst` to decompress directly there */ - int const decodedSize = LZ4_decompress_safe_usingDict( + decodedSize = LZ4_decompress_safe_usingDict( (const char*)selectedIn, (char*)dstPtr, (int)dctx->tmpInTarget, (int)dctx->maxBlockSize, - (const char*)dctx->dict, (int)dctx->dictSize); + dict, (int)dictSize); if (decodedSize < 0) return err0r(LZ4F_ERROR_GENERIC); /* decompression failed */ if (dctx->frameInfo.contentChecksumFlag) XXH32_update(&(dctx->xxh), dstPtr, decodedSize); @@ -1538,10 +1546,19 @@ size_t LZ4F_decompress(LZ4F_dctx* dctx, } /* Decode block */ - { int const decodedSize = LZ4_decompress_safe_usingDict( + { + const char *dict = (const char *)dctx->dict; + size_t dictSize = dctx->dictSize; + int decodedSize; + if (dict && dictSize > 1 GB) { + /* the dictSize param is an int, avoid truncation / sign issues */ + dict += dictSize - 1 GB; + dictSize = 1 GB; + } + decodedSize = LZ4_decompress_safe_usingDict( (const char*)selectedIn, (char*)dctx->tmpOut, (int)dctx->tmpInTarget, (int)dctx->maxBlockSize, - (const char*)dctx->dict, (int)dctx->dictSize); + dict, (int)dictSize); if (decodedSize < 0) /* decompression failed */ return err0r(LZ4F_ERROR_decompressionFailed); if (dctx->frameInfo.contentChecksumFlag) |