Message ID | 1403888205-135740-2-git-send-email-brad.figg@canonical.com |
---|---|
State | New |
Headers | show |
On 27.06.2014 18:56, Brad Figg wrote: > From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > CVE-2014-2611 > > Given some pathologically compressed data, lz4 could possibly decide to > wrap a few internal variables, causing unknown things to happen. Catch > this before the wrapping happens and abort the decompression. > > Reported-by: "Don A. Bailey" <donb@securitymouse.com> > Cc: stable <stable@vger.kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > (cherry picked from commit 206204a1162b995e2185275167b22468c00d6b36) > Signed-off-by: Brad Figg <brad.figg@canonical.com> > --- > lib/lz4/lz4_decompress.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c > index 411be80..6423f01 100644 > --- a/lib/lz4/lz4_decompress.c > +++ b/lib/lz4/lz4_decompress.c > @@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize) > len = *ip++; > for (; len == 255; length += 255) > len = *ip++; > + if (unlikely(length > (size_t)(length + len))) > + goto _output_error; > length += len; > } > > Looks to be doing what it claims
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c index 411be80..6423f01 100644 --- a/lib/lz4/lz4_decompress.c +++ b/lib/lz4/lz4_decompress.c @@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize) len = *ip++; for (; len == 255; length += 255) len = *ip++; + if (unlikely(length > (size_t)(length + len))) + goto _output_error; length += len; }