aboutsummaryrefslogtreecommitdiff
path: root/archival
diff options
context:
space:
mode:
authorGravatar Denys Vlasenko <vda.linux@googlemail.com>2014-06-30 10:14:34 +0200
committerGravatar Denys Vlasenko <vda.linux@googlemail.com>2014-06-30 10:14:34 +0200
commita9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 (patch)
tree0c3b2ff86a761578247db504d8e742d55071b4a8 /archival
parent1b487ea8a69ac90b530e9ccd161a5b1b21e604c7 (diff)
downloadbusybox-a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3.tar.gz
busybox-a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3.tar.bz2
lzop: add overflow check
See CVE-2014-4607 http://www.openwall.com/lists/oss-security/2014/06/26/20 function old new delta lzo1x_decompress_safe 1010 1031 +21 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'archival')
-rw-r--r--archival/libarchive/liblzo.h2
-rw-r--r--archival/libarchive/lzo1x_d.c3
2 files changed, 5 insertions, 0 deletions
diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
index 843997cb9..4596620fe 100644
--- a/archival/libarchive/liblzo.h
+++ b/archival/libarchive/liblzo.h
@@ -76,11 +76,13 @@
# define TEST_IP (ip < ip_end)
# define NEED_IP(x) \
if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun
+# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun
# undef TEST_OP /* don't need both of the tests here */
# define TEST_OP 1
# define NEED_OP(x) \
if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun
+# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun
#define HAVE_ANY_OP 1
diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
index 9bc1270da..40b167e68 100644
--- a/archival/libarchive/lzo1x_d.c
+++ b/archival/libarchive/lzo1x_d.c
@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
ip++;
NEED_IP(1);
}
+ TEST_IV(t);
t += 15 + *ip++;
}
/* copy literals */
@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
ip++;
NEED_IP(1);
}
+ TEST_IV(t);
t += 31 + *ip++;
}
#if defined(COPY_DICT)
@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
ip++;
NEED_IP(1);
}
+ TEST_IV(t);
t += 7 + *ip++;
}
#if defined(COPY_DICT)