diff options
| author | W. Felix Handte <w@felixhandte.com> | 2019-07-18 16:41:12 (GMT) |
|---|---|---|
| committer | W. Felix Handte <w@felixhandte.com> | 2019-07-18 16:48:41 (GMT) |
| commit | 369fb3900cbc73543f1bab276ca1b82abe402937 (patch) | |
| tree | 0f4dbe09c6a21166a4fe2e4908c66e3fb85a13a0 /lib | |
| parent | 19b099986aeccc12bb46ad207fe8de5b36bdb7bc (diff) | |
| download | lz4-369fb3900cbc73543f1bab276ca1b82abe402937.zip lz4-369fb3900cbc73543f1bab276ca1b82abe402937.tar.gz lz4-369fb3900cbc73543f1bab276ca1b82abe402937.tar.bz2 | |
Fix Data Corruption Bug when Streaming with an Attached Dict in HC Mode
This diff fixes an issue in which we failed to clear the `dictCtx` in HC
compression. The `dictCtx` is not supposed to be used when an `extDict` is
present: matches found in the `dictCtx` do not account for the presence of an
`extDict` segment, and their offsets are therefore miscalculated when one is
present. This can lead to data corruption.
This diff clears the `dictCtx` whenever setting an `extDict`.
This issue was uncovered by @terrelln's fuzzing work.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/lz4hc.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/lz4hc.c b/lib/lz4hc.c index 46c20bc..d9e55a0 100644 --- a/lib/lz4hc.c +++ b/lib/lz4hc.c @@ -998,6 +998,11 @@ static void LZ4HC_setExternalDict(LZ4HC_CCtx_internal* ctxPtr, const BYTE* newBl if (ctxPtr->end >= ctxPtr->base + ctxPtr->dictLimit + 4) LZ4HC_Insert (ctxPtr, ctxPtr->end-3); /* Referencing remaining dictionary content */ + /* cannot reference an extDict and a dictCtx at the same time */ + if (ctxPtr->dictCtx != NULL) { + ctxPtr->dictCtx = NULL; + } + /* Only one memory segment for extDict, so any previous extDict is lost at this stage */ ctxPtr->lowLimit = ctxPtr->dictLimit; ctxPtr->dictLimit = (U32)(ctxPtr->end - ctxPtr->base); |