[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/2] lz4 overflow bug
From: |
Andrei Borzenkov |
Subject: |
Re: [PATCH 2/2] lz4 overflow bug |
Date: |
Thu, 16 Apr 2015 07:20:01 +0300 |
В Wed, 15 Apr 2015 23:51:16 +0300
Toomas Soome <address@hidden> пишет:
>
> hi!
>
> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.
You mean "length"? Or do you really mean pointer overflow?
Anyway in both cases it seems more reasonable to check when length is
computed, not after overflow, when it is already too late.
>
> ---
> grub-core/fs/zfs/zfs_lz4.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> index 1212a89..ca6445d 100644
> --- a/grub-core/fs/zfs/zfs_lz4.c
> +++ b/grub-core/fs/zfs/zfs_lz4.c
> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
> }
> /* copy literals */
> cpy = op + length;
> + if (cpy < op)
> + goto _output_error;
> if ((cpy > oend - COPYLENGTH) ||
> (ip + length > iend - COPYLENGTH)) {
> if (cpy > oend)