From ee4712284cd6c0532b6fb78e23a3799f4ccdd675 Mon Sep 17 00:00:00 2001 From: Dan McDonald Date: Mon, 23 Jun 2014 22:25:02 -0400 Subject: [PATCH] Illumos #4936 fix potential overflow in lz4 4936 lz4 could theoretically overflow a pointer with a certain input Reviewed by: Saso Kiselkov Reviewed by: Keith Wesolowski Approved by: Gordon Ross Ported by: Tim Chase References: https://illumos.org/issues/4936 https://github.com/illumos/illumos-gate/commit/58d0718 Porting notes: This fixes the widely-reported "20-year-old vulnerability" in LZO/LZ4 implementations which inherited said bug from the reference implementation. Signed-off-by: Richard Yao Signed-off-by: Tim Chase Signed-off-by: Brian Behlendorf Closes #2429 --- module/zfs/lz4.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/module/zfs/lz4.c b/module/zfs/lz4.c index 497296e35..5c3c6cdb1 100644 --- a/module/zfs/lz4.c +++ b/module/zfs/lz4.c @@ -907,6 +907,9 @@ LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize, } /* copy literals */ cpy = op + length; + /* CORNER-CASE: cpy might overflow. */ + if (cpy < op) + goto _output_error; /* cpy was overflowed, bail! */ if ((cpy > oend - COPYLENGTH) || (ip + length > iend - COPYLENGTH)) { if (cpy > oend)