lzop: add overflow check
See CVE-2014-4607 http://www.openwall.com/lists/oss-security/2014/06/26/20 function old new delta lzo1x_decompress_safe 1010 1031 +21 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
1b487ea8a6
commit
a9dc7c2f59
@ -76,11 +76,13 @@
|
||||
# define TEST_IP (ip < ip_end)
|
||||
# define NEED_IP(x) \
|
||||
if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun
|
||||
# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun
|
||||
|
||||
# undef TEST_OP /* don't need both of the tests here */
|
||||
# define TEST_OP 1
|
||||
# define NEED_OP(x) \
|
||||
if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun
|
||||
# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun
|
||||
|
||||
#define HAVE_ANY_OP 1
|
||||
|
||||
|
@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
|
||||
ip++;
|
||||
NEED_IP(1);
|
||||
}
|
||||
TEST_IV(t);
|
||||
t += 15 + *ip++;
|
||||
}
|
||||
/* copy literals */
|
||||
@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
|
||||
ip++;
|
||||
NEED_IP(1);
|
||||
}
|
||||
TEST_IV(t);
|
||||
t += 31 + *ip++;
|
||||
}
|
||||
#if defined(COPY_DICT)
|
||||
@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
|
||||
ip++;
|
||||
NEED_IP(1);
|
||||
}
|
||||
TEST_IV(t);
|
||||
t += 7 + *ip++;
|
||||
}
|
||||
#if defined(COPY_DICT)
|
||||
|
Loading…
Reference in New Issue
Block a user