Attachment 16166 Details for Bug 14263 – patch that seems to work at -O3

[patch] patch that seems to work at -O3

0001-lzxpress-add-bounds-checking-to-lzxpress_decompress.patch (text/plain), 3.29 KB, created by Douglas Bagnall on 2020-08-08 00:21:01 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Douglas Bagnall

Created: 2020-08-08 00:21:01 UTC

Size: 3.29 KB

patch

obsolete

>From 2ff7c0256326713c228ca513153e16d0e2e712f8 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 7 Nov 2019 10:03:36 +0100
>Subject: [PATCH] lzxpress: add bounds checking to lzxpress_decompress()
>
>lzxpress_decompress() would wander past the end of the array in
>numerous locations.
>
>Credit to OSS-Fuzz.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14190
>REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19382
>REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
>REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22485
>REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22667
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
>---
> lib/compression/lzxpress.c | 30 ++++++++++++++++++++++++++++--
> 1 file changed, 28 insertions(+), 2 deletions(-)
>
>diff --git a/lib/compression/lzxpress.c b/lib/compression/lzxpress.c
>index 024aba4c2ce..5e4d1245131 100644
>--- a/lib/compression/lzxpress.c
>+++ b/lib/compression/lzxpress.c
>@@ -252,8 +252,22 @@ ssize_t lzxpress_decompress(const uint8_t *input,
> 	offset = 0;
> 	nibble_index = 0;
> 
>+#define __CHECK_BYTES(__size, __index, __needed) do { \
>+	uint32_t __req_size = __index + __needed; \
>+	if (unlikely(__req_size < __index ||	  \
>+		     __req_size > __size)) {	  \
>+		return -1;			  \
>+	}					  \
>+} while(0)
>+
>+#define CHECK_INPUT_BYTES(__needed) \
>+	__CHECK_BYTES(input_size, input_index, __needed)
>+#define CHECK_OUTPUT_BYTES(__needed) \
>+	__CHECK_BYTES(max_output_size, output_index, __needed)
>+
> 	do {
> 		if (indicator_bit == 0) {
>+			CHECK_INPUT_BYTES(4);
> 			indicator = PULL_LE_UINT32(input, input_index);
> 			input_index += sizeof(uint32_t);
> 			indicator_bit = 32;
>@@ -266,10 +280,13 @@ ssize_t lzxpress_decompress(const uint8_t *input,
> 		 * check whether the 4th bit of the value in indicator is set
> 		 */
> 		if (((indicator >> indicator_bit) & 1) == 0) {
>+			CHECK_INPUT_BYTES(1);
>+			CHECK_OUTPUT_BYTES(1);
> 			output[output_index] = input[input_index];
> 			input_index += sizeof(uint8_t);
> 			output_index += sizeof(uint8_t);
> 		} else {
>+			CHECK_INPUT_BYTES(2);
> 			length = PULL_LE_UINT16(input, input_index);
> 			input_index += sizeof(uint16_t);
> 			offset = length / 8;
>@@ -277,6 +294,7 @@ ssize_t lzxpress_decompress(const uint8_t *input,
> 
> 			if (length == 7) {
> 				if (nibble_index == 0) {
>+					CHECK_INPUT_BYTES(1);
> 					nibble_index = input_index;
> 					length = input[input_index] % 16;
> 					input_index += sizeof(uint8_t);
>@@ -286,9 +304,11 @@ ssize_t lzxpress_decompress(const uint8_t *input,
> 				}
> 
> 				if (length == 15) {
>+					CHECK_INPUT_BYTES(1);
> 					length = input[input_index];
> 					input_index += sizeof(uint8_t);
> 					if (length == 255) {
>+						CHECK_INPUT_BYTES(2);
> 						length = PULL_LE_UINT16(input, input_index);
> 						input_index += sizeof(uint16_t);
> 						length -= (15 + 7);
>@@ -299,10 +319,16 @@ ssize_t lzxpress_decompress(const uint8_t *input,
> 			}
> 
> 			length += 3;
>+			if (length == 0) {
>+				return -1;
>+			}
> 
>-			do {
>-				if ((output_index >= max_output_size) || ((offset + 1) > output_index)) break;
>+			if (offset >= output_index) {
>+				return -1;
>+			}
>+			CHECK_OUTPUT_BYTES(length);
> 
>+			do {
> 				output[output_index] = output[output_index - offset - 1];
> 
> 				output_index += sizeof(uint8_t);
>-- 
>2.20.1
>

Flags:

dbagnall: review? (metze)

Actions: View

Attachments on bug 14263: 15763 | 15764 | 15765 | 15766 | 15767 | 15768 | 15769 | 15770 | 15771 | 15772 | 15774 | 16164 | 16166