Message ID | 1428569873-28946-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, Apr 09, 2015 at 09:57:53AM +0100, Luis Henriques wrote: > This is a note to let you know that I have just added a patch titled > > LZ4 : fix the data abort issue Please note that this patch can cause a boot to hang on one of 32bit or 64bit environments (I don't remember). This is fixed in "lz4: fix system halted at boot kernel x86_64 compressed lz4" that's yet on the way to stable trees.
On Thu, Apr 09, 2015 at 03:25:30PM +0200, David Sterba wrote: > On Thu, Apr 09, 2015 at 09:57:53AM +0100, Luis Henriques wrote: > > This is a note to let you know that I have just added a patch titled > > > > LZ4 : fix the data abort issue > > Please note that this patch can cause a boot to hang on one of 32bit or > 64bit environments (I don't remember). This is fixed in > > "lz4: fix system halted at boot kernel x86_64 compressed lz4" > > that's yet on the way to stable trees. Really? I don't think that patch is even on its way to Linus's tree yet :(
Hi David, On Thu, Apr 09, 2015 at 03:25:30PM +0200, David Sterba wrote: > On Thu, Apr 09, 2015 at 09:57:53AM +0100, Luis Henriques wrote: > > This is a note to let you know that I have just added a patch titled > > > > LZ4 : fix the data abort issue > > Please note that this patch can cause a boot to hang on one of 32bit or > 64bit environments (I don't remember). This is fixed in > > "lz4: fix system halted at boot kernel x86_64 compressed lz4" > > that's yet on the way to stable trees. Thank you for the heads-up. I'll hold this patch and wait for a fix to be available (although it looks like it may still take a while :-) Cheers, -- Luís
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c index 7a85967060a5..f0f5c5c3de12 100644 --- a/lib/lz4/lz4_decompress.c +++ b/lib/lz4/lz4_decompress.c @@ -139,6 +139,9 @@ static int lz4_uncompress(const char *source, char *dest, int osize) /* Error: request to write beyond destination buffer */ if (cpy > oend) goto _output_error; + if ((ref + COPYLENGTH) > oend || + (op + COPYLENGTH) > oend) + goto _output_error; LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH)); while (op < cpy) *op++ = *ref++;