Re: [PATCH 2/2] lz4 overflow bug

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] lz4 overflow bug

From:	Andrei Borzenkov
Subject:	Re: [PATCH 2/2] lz4 overflow bug
Date:	Thu, 16 Apr 2015 07:20:01 +0300

В Wed, 15 Apr 2015 23:51:16 +0300
Toomas Soome <address@hidden> пишет:

> 
> hi!
> 
> yep, this old bug is not fixed in grub. cpy can (theoretically?) overflow.

You mean "length"? Or do you really mean pointer overflow?

Anyway in both cases it seems more reasonable to check when length is
computed, not after overflow, when it is already too late.

> 
> ---
>  grub-core/fs/zfs/zfs_lz4.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/grub-core/fs/zfs/zfs_lz4.c b/grub-core/fs/zfs/zfs_lz4.c
> index 1212a89..ca6445d 100644
> --- a/grub-core/fs/zfs/zfs_lz4.c
> +++ b/grub-core/fs/zfs/zfs_lz4.c
> @@ -185,6 +185,8 @@ LZ4_uncompress_unknownOutputSize(const char *source,
>               }
>               /* copy literals */
>               cpy = op + length;
> +             if (cpy < op)
> +                     goto _output_error;
>               if ((cpy > oend - COPYLENGTH) ||
>                   (ip + length > iend - COPYLENGTH)) {
>                       if (cpy > oend)

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 2/2] lz4 overflow bug, Toomas Soome, 2015/04/16
- Re: [PATCH 2/2] lz4 overflow bug, Andrei Borzenkov <=
  - Re: [PATCH 2/2] lz4 overflow bug, Toomas Soome, 2015/04/16
    - Re: [PATCH 2/2] lz4 overflow bug, Andrei Borzenkov, 2015/04/16

Prev by Date: [PATCH 2/2] lz4 overflow bug
Next by Date: Re: [PATCH] added support for whole disk zfs embedding
Previous by thread: [PATCH 2/2] lz4 overflow bug
Next by thread: Re: [PATCH 2/2] lz4 overflow bug
Index(es):
- Date
- Thread