This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-changelog] [xen-unstable] Decompressors: validate match distance in

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] Decompressors: validate match distance in unlzma.c
From: Xen patchbot-unstable <patchbot@xxxxxxx>
Date: Fri, 11 Nov 2011 21:11:15 +0000
Delivery-date: Fri, 11 Nov 2011 13:13:32 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Lasse Collin <lasse.collin@xxxxxxxxxxx>
# Date 1321018464 -3600
# Node ID 88347644935e4de008e16daa13d10d11b0e726d3
# Parent  2ffeeb28e9be98c932905f7fd2bf80bfc089622c
Decompressors: validate match distance in unlzma.c

From: Lasse Collin <lasse.collin@xxxxxxxxxxx>

Validate the newly decoded distance (rep0) in process_bit1().  This is to
detect corrupt LZMA data quickly.  The old code can run for long time
producing garbage until it hits the end of the input.

Signed-off-by: Lasse Collin <lasse.collin@xxxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
Committed-by: Jan Beulich <jbeulich@xxxxxxxx>

diff -r 2ffeeb28e9be -r 88347644935e xen/common/unlzma.c
--- a/xen/common/unlzma.c       Fri Nov 11 14:33:30 2011 +0100
+++ b/xen/common/unlzma.c       Fri Nov 11 14:34:24 2011 +0100
@@ -516,6 +516,9 @@
                        cst->rep0 = pos_slot;
                if (++(cst->rep0) == 0)
                        return 0;
+               if (cst->rep0 > wr->header->dict_size
+                               || cst->rep0 > get_pos(wr))
+                       return -1;
        len += LZMA_MATCH_MIN_LEN;

Xen-changelog mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] Decompressors: validate match distance in unlzma.c, Xen patchbot-unstable <=