Date: Sun, 11 Sep 2016 17:48:06 +0000 (UTC) From: Allan Jude <allanjude@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r305701 - head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs Message-ID: <201609111748.u8BHm66n095430@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: allanjude Date: Sun Sep 11 17:48:06 2016 New Revision: 305701 URL: https://svnweb.freebsd.org/changeset/base/305701 Log: MFV r268120: 4936 lz4 could theoretically overflow a pointer with a certain input illumos/illumos-gate@58d0718061c87e3d647c891ec5281b93c08dba4e Reviewed by: delphij MFC after: 2 weeks Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D7850 Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c ============================================================================== --- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c Sun Sep 11 17:44:35 2016 (r305700) +++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c Sun Sep 11 17:48:06 2016 (r305701) @@ -187,21 +187,18 @@ lz4_decompress(void *s_start, void *d_st defined(__amd64) || defined(__ppc64__) || defined(_WIN64) || \ defined(__LP64__) || defined(_LP64)) #define LZ4_ARCH64 1 -/* - * Illumos: On amd64 we have 20k of stack and 24k on sun4u and sun4v, so we - * can spend 16k on the algorithm - */ -/* FreeBSD: Use heap for all platforms for now */ -#define STACKLIMIT 0 #else #define LZ4_ARCH64 0 +#endif + /* - * Illumos: On i386 we only have 12k of stack, so in order to maintain the - * same COMPRESSIONLEVEL we have to use heap allocation. Performance will - * suck, but alas, it's ZFS on 32-bit we're talking about, so... + * Limits the amount of stack space that the algorithm may consume to hold + * the compression lookup table. The value `9' here means we'll never use + * more than 2k of stack (see above for a description of COMPRESSIONLEVEL). + * If more memory is needed, it is allocated from the heap. */ +/* FreeBSD: Use heap for all platforms for now */ #define STACKLIMIT 0 -#endif /* * Little Endian or Big Endian? @@ -870,7 +867,7 @@ real_LZ4_compress(const char *source, ch /* Decompression functions */ /* - * Note: The decoding functionLZ4_uncompress_unknownOutputSize() is safe + * Note: The decoding function LZ4_uncompress_unknownOutputSize() is safe * against "buffer overflow" attack type. They will never write nor * read outside of the provided output buffers. * LZ4_uncompress_unknownOutputSize() also insures that it will never @@ -913,6 +910,9 @@ LZ4_uncompress_unknownOutputSize(const c } /* copy literals */ cpy = op + length; + /* CORNER-CASE: cpy might overflow. */ + if (cpy < op) + goto _output_error; /* cpy was overflowed, bail! */ if ((cpy > oend - COPYLENGTH) || (ip + length > iend - COPYLENGTH)) { if (cpy > oend)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609111748.u8BHm66n095430>