Print this page
4936 lz4 could theoretically overflow a pointer with a certain input
@@ -958,10 +958,13 @@
}
length += len;
}
/* copy literals */
cpy = op + length;
+ /* CORNER-CASE: cpy might overflow. */
+ if (cpy < op)
+ goto _output_error; /* cpy was overflowed, bail! */
if unlikely(cpy > oend - COPYLENGTH) {
if (cpy != oend)
/* Error: we must necessarily stand at EOF */
goto _output_error;
(void) memcpy(op, ip, length);
@@ -1073,10 +1076,13 @@
length += s;
}
}
/* copy literals */
cpy = op + length;
+ /* CORNER-CASE: cpy might overflow. */
+ if (cpy < op)
+ goto _output_error; /* cpy was overflowed, bail! */
if ((cpy > oend - COPYLENGTH) ||
(ip + length > iend - COPYLENGTH)) {
if (cpy > oend)
/* Error: writes beyond output buffer */
goto _output_error;