diff options
author | Nick Terrell <terrelln@fb.com> | 2019-06-28 21:40:14 (GMT) |
---|---|---|
committer | Nick Terrell <terrelln@fb.com> | 2019-06-28 21:58:35 (GMT) |
commit | e72d44230093f58be47c855e6b7d92493ce160db (patch) | |
tree | a8bfc6be364fcbf099c7b25e8896d62c75855d9b /lib | |
parent | 9a2a9f2d0f38a39c5ec9b329042ca5f060b058e0 (diff) | |
download | lz4-e72d44230093f58be47c855e6b7d92493ce160db.zip lz4-e72d44230093f58be47c855e6b7d92493ce160db.tar.gz lz4-e72d44230093f58be47c855e6b7d92493ce160db.tar.bz2 |
Fix out-of-bounds read of up to 64 KB in the past
Diffstat (limited to 'lib')
-rw-r--r-- | lib/lz4.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -1703,6 +1703,7 @@ LZ4_decompress_generic( /* get offset */ offset = LZ4_readLE16(ip); ip+=2; match = op - offset; + assert(match <= op); /* get matchlength */ length = token & ML_MASK; @@ -1724,8 +1725,12 @@ LZ4_decompress_generic( } /* Fastpath check: Avoids a branch in LZ4_wildCopy32 if true */ - if (!(dict == usingExtDict) || (match >= lowPrefix)) { + if ((dict == withPrefix64k) || (match >= lowPrefix)) { if (offset >= 8) { + assert(match >= lowPrefix); + assert(match <= op); + assert(op + 18 <= oend); + memcpy(op, match, 8); memcpy(op+8, match+8, 8); memcpy(op+16, match+16, 2); @@ -1873,7 +1878,6 @@ LZ4_decompress_generic( length = token & ML_MASK; _copy_match: - if ((checkOffset) && (unlikely(match + dictSize < lowPrefix))) goto _output_error; /* Error : offset outside buffers */ if (!partialDecoding) { assert(oend > op); assert(oend - op >= 4); @@ -1891,6 +1895,7 @@ LZ4_decompress_generic( #if LZ4_FAST_DEC_LOOP safe_match_copy: #endif + if ((checkOffset) && (unlikely(match + dictSize < lowPrefix))) goto _output_error; /* Error : offset outside buffers */ /* match starting within external dictionary */ if ((dict==usingExtDict) && (match < lowPrefix)) { if (unlikely(op+length > oend-LASTLITERALS)) { @@ -1918,6 +1923,7 @@ LZ4_decompress_generic( } } continue; } + assert(match >= lowPrefix); /* copy match within block */ cpy = op + length; |