Print this page
4936 lz4 could theoretically overflow a pointer with a certain input
*** 958,967 ****
--- 958,970 ----
}
length += len;
}
/* copy literals */
cpy = op + length;
+ /* CORNER-CASE: cpy might overflow. */
+ if (cpy < op)
+ goto _output_error; /* cpy was overflowed, bail! */
if unlikely(cpy > oend - COPYLENGTH) {
if (cpy != oend)
/* Error: we must necessarily stand at EOF */
goto _output_error;
(void) memcpy(op, ip, length);
*** 1073,1082 ****
--- 1076,1088 ----
length += s;
}
}
/* copy literals */
cpy = op + length;
+ /* CORNER-CASE: cpy might overflow. */
+ if (cpy < op)
+ goto _output_error; /* cpy was overflowed, bail! */
if ((cpy > oend - COPYLENGTH) ||
(ip + length > iend - COPYLENGTH)) {
if (cpy > oend)
/* Error: writes beyond output buffer */
goto _output_error;