The Samba-Bugzilla – Attachment 16166 Details for
Bug 14263
lzxpress triage meta-bug
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch that seems to work at -O3
0001-lzxpress-add-bounds-checking-to-lzxpress_decompress.patch (text/plain), 3.29 KB, created by
Douglas Bagnall
on 2020-08-08 00:21:01 UTC
(
hide
)
Description:
patch that seems to work at -O3
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2020-08-08 00:21:01 UTC
Size:
3.29 KB
patch
obsolete
>From 2ff7c0256326713c228ca513153e16d0e2e712f8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 7 Nov 2019 10:03:36 +0100 >Subject: [PATCH] lzxpress: add bounds checking to lzxpress_decompress() > >lzxpress_decompress() would wander past the end of the array in >numerous locations. > >Credit to OSS-Fuzz. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14190 >REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19382 >REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083 >REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22485 >REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22667 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > lib/compression/lzxpress.c | 30 ++++++++++++++++++++++++++++-- > 1 file changed, 28 insertions(+), 2 deletions(-) > >diff --git a/lib/compression/lzxpress.c b/lib/compression/lzxpress.c >index 024aba4c2ce..5e4d1245131 100644 >--- a/lib/compression/lzxpress.c >+++ b/lib/compression/lzxpress.c >@@ -252,8 +252,22 @@ ssize_t lzxpress_decompress(const uint8_t *input, > offset = 0; > nibble_index = 0; > >+#define __CHECK_BYTES(__size, __index, __needed) do { \ >+ uint32_t __req_size = __index + __needed; \ >+ if (unlikely(__req_size < __index || \ >+ __req_size > __size)) { \ >+ return -1; \ >+ } \ >+} while(0) >+ >+#define CHECK_INPUT_BYTES(__needed) \ >+ __CHECK_BYTES(input_size, input_index, __needed) >+#define CHECK_OUTPUT_BYTES(__needed) \ >+ __CHECK_BYTES(max_output_size, output_index, __needed) >+ > do { > if (indicator_bit == 0) { >+ CHECK_INPUT_BYTES(4); > indicator = PULL_LE_UINT32(input, input_index); > input_index += sizeof(uint32_t); > indicator_bit = 32; >@@ -266,10 +280,13 @@ ssize_t lzxpress_decompress(const uint8_t *input, > * check whether the 4th bit of the value in indicator is set > */ > if (((indicator >> indicator_bit) & 1) == 0) { >+ CHECK_INPUT_BYTES(1); >+ CHECK_OUTPUT_BYTES(1); > output[output_index] = input[input_index]; > input_index += sizeof(uint8_t); > output_index += sizeof(uint8_t); > } else { >+ CHECK_INPUT_BYTES(2); > length = PULL_LE_UINT16(input, input_index); > input_index += sizeof(uint16_t); > offset = length / 8; >@@ -277,6 +294,7 @@ ssize_t lzxpress_decompress(const uint8_t *input, > > if (length == 7) { > if (nibble_index == 0) { >+ CHECK_INPUT_BYTES(1); > nibble_index = input_index; > length = input[input_index] % 16; > input_index += sizeof(uint8_t); >@@ -286,9 +304,11 @@ ssize_t lzxpress_decompress(const uint8_t *input, > } > > if (length == 15) { >+ CHECK_INPUT_BYTES(1); > length = input[input_index]; > input_index += sizeof(uint8_t); > if (length == 255) { >+ CHECK_INPUT_BYTES(2); > length = PULL_LE_UINT16(input, input_index); > input_index += sizeof(uint16_t); > length -= (15 + 7); >@@ -299,10 +319,16 @@ ssize_t lzxpress_decompress(const uint8_t *input, > } > > length += 3; >+ if (length == 0) { >+ return -1; >+ } > >- do { >- if ((output_index >= max_output_size) || ((offset + 1) > output_index)) break; >+ if (offset >= output_index) { >+ return -1; >+ } >+ CHECK_OUTPUT_BYTES(length); > >+ do { > output[output_index] = output[output_index - offset - 1]; > > output_index += sizeof(uint8_t); >-- >2.20.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
dbagnall
:
review?
(
metze
)
Actions:
View
Attachments on
bug 14263
:
15763
|
15764
|
15765
|
15766
|
15767
|
15768
|
15769
|
15770
|
15771
|
15772
|
15774
|
16164
| 16166