[PATCH 2/2] lz4 overflow bug

Toomas Soome Wed, 15 Apr 2015 13:54:18 -0700

hi!

yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.


---
 grub-core/fs/zfs/zfs_lz4.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
index 1212a89..ca6445d 100644
--- a/grub-core/fs/zfs/zfs_lz4.c
+++ b/grub-core/fs/zfs/zfs_lz4.c
@@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
                }
                /* copy literals */
                cpy = op + length;
+               if (cpy < op)
+                       goto _output_error;
                if ((cpy > oend - COPYLENGTH) ||
                    (ip + length > iend - COPYLENGTH)) {
                        if (cpy > oend)
-- 
1.7.9.2


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH 2/2] lz4 overflow bug

Reply via email to