[Saucy][Trusty][CVE-2014-4611][PATCH 1/1] lz4: ensure length does not wrap
Brad Figg
brad.figg at canonical.com
Fri Jun 27 16:56:45 UTC 2014
From: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
CVE-2014-2611
Given some pathologically compressed data, lz4 could possibly decide to
wrap a few internal variables, causing unknown things to happen. Catch
this before the wrapping happens and abort the decompression.
Reported-by: "Don A. Bailey" <donb at securitymouse.com>
Cc: stable <stable at vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
(cherry picked from commit 206204a1162b995e2185275167b22468c00d6b36)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
lib/lz4/lz4_decompress.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 411be80..6423f01 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
len = *ip++;
for (; len == 255; length += 255)
len = *ip++;
+ if (unlikely(length > (size_t)(length + len)))
+ goto _output_error;
length += len;
}
--
1.9.1
More information about the kernel-team
mailing list