В Wed, 15 Apr 2015 23:51:16 +0300
Toomas Soome <tso...@me.com> пишет:
>
> hi!
>
> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.
You mean "length"? Or do you really mean pointer overflow?
Anyway in both cases it seems more reasonable to check when length is
computed, not after overflow, when it is already too late.
>
> ---
> grub-core/fs/zfs/zfs_lz4.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> index 1212a89..ca6445d 100644
> --- a/grub-core/fs/zfs/zfs_lz4.c
> +++ b/grub-core/fs/zfs/zfs_lz4.c
> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
> }
> /* copy literals */
> cpy = op + length;
> + if (cpy < op)
> + goto _output_error;
> if ((cpy > oend - COPYLENGTH) ||
> (ip + length > iend - COPYLENGTH)) {
> if (cpy > oend)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
