[EGIT] [apps/terminology] master 01/01: lz4: fix another security issue on ARM 32.

Mon, 14 Jul 2014 07:04:41 -0700 

cedric pushed a commit to branch master.

http://git.enlightenment.org/apps/terminology.git/commit/?id=e3fbd7f0309fc7ba3369d027c838df09524a182b

commit e3fbd7f0309fc7ba3369d027c838df09524a182b
Author: Cedric BAIL <[email protected]>
Date:   Mon Jul 14 15:58:55 2014 +0200

    lz4: fix another security issue on ARM 32.
---
 src/bin/lz4/lz4.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/bin/lz4/lz4.c b/src/bin/lz4/lz4.c
index 824f551..482a8ed 100644
--- a/src/bin/lz4/lz4.c
+++ b/src/bin/lz4/lz4.c
@@ -922,7 +922,9 @@ FORCE_INLINE int LZ4_decompress_generic(
                 length += s;
             }
             while (likely((endOnInput)?ip<iend-RUN_MASK:1) && (s==255));
-            if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) 
goto _output_error;   /* overflow detection */
+            //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) 
goto _output_error;   /* overflow detection */
+            if ((sizeof(void*)==4) && 
unlikely((size_t)(op+length)<(size_t)(op))) goto _output_error;   /* quickfix 
issue 134 */
+            if ((endOnInput) && (sizeof(void*)==4) && 
unlikely((size_t)(ip+length)<(size_t)(ip))) goto _output_error;   /* quickfix 
issue 134 */
         }
 
         /* copy literals */
@@ -957,11 +959,12 @@ FORCE_INLINE int LZ4_decompress_generic(
             unsigned s;
             do
             {
-                if (endOnInput && (ip > iend-LASTLITERALS)) goto _output_error;
+                if ((endOnInput) && (ip > iend-LASTLITERALS)) goto 
_output_error;
                 s = *ip++;
                 length += s;
             } while (s==255);
-            if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) 
goto _output_error;   /* overflow detection */
+            //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) 
goto _output_error;   /* overflow detection */
+            if ((sizeof(void*)==4) && 
unlikely((size_t)(op+length)<(size_t)op)) goto _output_error;   /* quickfix 
issue 134 */
         }
 
         /* check external dictionary */
@@ -983,9 +986,9 @@ FORCE_INLINE int LZ4_decompress_generic(
                 copySize = length+MINMATCH - copySize;
                 if (copySize > (size_t)((char*)op-dest))   /* overlap */
                 {
-                    BYTE* const cpy2 = op + copySize;
-                    const BYTE* ref2 = (BYTE*)dest;
-                    while (op < cpy2) *op++ = *ref2++;
+                    BYTE* const cpy = op + copySize;
+                    const BYTE* ref = (BYTE*)dest;
+                    while (op < cpy) *op++ = *ref++;
                 }
                 else
                 {

--

Reply via email to