From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Mon, 30 Jun 2014 10:14:34 +0200 Subject: [PATCH] lzop: add overflow check See CVE-2014-4607 http://www.openwall.com/lists/oss-security/2014/06/26/20 function old new delta lzo1x_decompress_safe 1010 1031 +21 Signed-off-by: Denys Vlasenko --- archival/libarchive/liblzo.h | 2 ++ archival/libarchive/lzo1x_d.c | 3 +++ 2 files changed, 5 insertions(+) --- a/archival/libarchive/liblzo.h +++ b/archival/libarchive/liblzo.h @@ -76,11 +76,13 @@ # define TEST_IP (ip < ip_end) # define NEED_IP(x) \ if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun +# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun # undef TEST_OP /* don't need both of the tests here */ # define TEST_OP 1 # define NEED_OP(x) \ if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun +# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun #define HAVE_ANY_OP 1 --- a/archival/libarchive/lzo1x_d.c +++ b/archival/libarchive/lzo1x_d.c @@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* ip++; NEED_IP(1); } + TEST_IV(t); t += 15 + *ip++; } /* copy literals */ @@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* ip++; NEED_IP(1); } + TEST_IV(t); t += 31 + *ip++; } #if defined(COPY_DICT) @@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* ip++; NEED_IP(1); } + TEST_IV(t); t += 7 + *ip++; } #if defined(COPY_DICT)