[Bug 1851499] [NEW] lz4 SIGSEGV in LZ4_decompress_generic
Michail
1851499 at bugs.launchpad.net
Wed Nov 6 12:42:28 UTC 2019
Public bug reported:
Affected packages:
https://packages.ubuntu.com/xenial/liblz4-1
https://packages.ubuntu.com/bionic/liblz4-1
https://packages.ubuntu.com/cosmic/liblz4-1
https://packages.ubuntu.com/disco/liblz4-1
Non-Affected packages:
https://packages.ubuntu.com/eoan/liblz4-1
Description:
I got SIGSEGV with lz4, when trying to read a corrupted stream
No null ptr check of source in LZ4_decompress_generic
Description of problem:
No null ptr check of source in LZ4_decompress_generic
(gdb) bt
#0 0x00007ffff74ede70 in LZ4_decompress_generic (source=0x0,
dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., inputSize=1253,
outputSize=65536, endOnInput=1, partialDecoding=0, targetOutputSize=0,
dict=0,
lowPrefix=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., dictStart=0x0,
dictSize=0) at lz4.c:1157
#1 LZ4_decompress_safe (source=0x0,
dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., compressedSize=1253,
maxDecompressedSize=65536) at lz4.c:1290
#2 0x00007ffff7560631 in LZ4F_decompress_safe (source=0x0,
dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., compressedSize=1253,
maxDecompressedSize=65536,
dictStart=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., dictSize=0) at
lz4frame.c:957
#3 0x00007ffff755595b in LZ4F_decompress
(decompressionContext=0x61100000ff40, dstBuffer=0x7fffe8bdd82c,
dstSizePtr=0x7ffff0cf96e0, srcBuffer=0x62d000014400,
srcSizePtr=0x7ffff0cf96c0,
decompressOptionsPtr=0x7ffff0cf8120) at lz4frame.c:1294
Version-Release number of selected component (if applicable):
In lz4 from HEAD bug was fixed
https://github.com/lz4/lz4/blob/master/lib/lz4.c#L1668
** Affects: lz4 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to lz4 in Ubuntu.
https://bugs.launchpad.net/bugs/1851499
Title:
lz4 SIGSEGV in LZ4_decompress_generic
Status in lz4 package in Ubuntu:
New
Bug description:
Affected packages:
https://packages.ubuntu.com/xenial/liblz4-1
https://packages.ubuntu.com/bionic/liblz4-1
https://packages.ubuntu.com/cosmic/liblz4-1
https://packages.ubuntu.com/disco/liblz4-1
Non-Affected packages:
https://packages.ubuntu.com/eoan/liblz4-1
Description:
I got SIGSEGV with lz4, when trying to read a corrupted stream
No null ptr check of source in LZ4_decompress_generic
Description of problem:
No null ptr check of source in LZ4_decompress_generic
(gdb) bt
#0 0x00007ffff74ede70 in LZ4_decompress_generic (source=0x0,
dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., inputSize=1253,
outputSize=65536, endOnInput=1, partialDecoding=0, targetOutputSize=0,
dict=0,
lowPrefix=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., dictStart=0x0,
dictSize=0) at lz4.c:1157
#1 LZ4_decompress_safe (source=0x0,
dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., compressedSize=1253,
maxDecompressedSize=65536) at lz4.c:1290
#2 0x00007ffff7560631 in LZ4F_decompress_safe (source=0x0,
dest=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., compressedSize=1253,
maxDecompressedSize=65536,
dictStart=0x631000028800 "press.foo.bar.6057 1
349830001\ncompress.foo.bar.6058 1 349830001\ncompress.foo.bar.6059 1
349830001\ncompress.foo.bar.6060 1 349830001\ncompress.foo.bar.6061 1
349830001\ncompress.foo.bar.6062 1 349830001"..., dictSize=0) at
lz4frame.c:957
#3 0x00007ffff755595b in LZ4F_decompress
(decompressionContext=0x61100000ff40, dstBuffer=0x7fffe8bdd82c,
dstSizePtr=0x7ffff0cf96e0, srcBuffer=0x62d000014400,
srcSizePtr=0x7ffff0cf96c0,
decompressOptionsPtr=0x7ffff0cf8120) at lz4frame.c:1294
Version-Release number of selected component (if applicable):
In lz4 from HEAD bug was fixed
https://github.com/lz4/lz4/blob/master/lib/lz4.c#L1668
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1851499/+subscriptions
More information about the foundations-bugs
mailing list