search

Amrnasr / lz4

Automatically exported from code.google.com/p/lz4
0 stars 0 forks source link

Pointer wraparound #51

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
In LZ4_uncompress:
        LZ4_READ_LITTLEENDIAN_16(ref,cpy,ip); ip+=2;
        if (ref < (BYTE* const)dest) goto _output_error;

If the pointer value of 'cpy' is < 65536, it's possible to construct an input 
stream that will make the subtraction inside READ_LITTLEENDIAN wrap, so 'ref' 
will become a very high value. The code will then try to read/write outside of 
the buffer and likely crash.

Original issue reported on code.google.com by strig...@gmail.com on 5 Dec 2012 at 7:26

GoogleCodeExporter commented 8 years ago 
Yes, this is in theory possible.

However, i've never seen that.
And I suspect this usecase is impossible on "modern" OS (windows, unix, BSD, 
and so forth). 
Of course i would feel better if this could be "proven". For this objective, it 
would be enough to prove that no allocation can take place in a memory address 
below 0x0000FFFF.

Note that, if this use case can happen in a "hobby OS", or a fairly old one 
(read : very rarely used today), i consider this issue should be left to 
dedicated forks.

Original comment by yann.col...@gmail.com on 6 Dec 2012 at 1:12

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
I've checked that point. It's not possible to obtain an allocated memory 
address which is so low (with a modern OS, such as BSD/Linux/Windows). 
Nonetheless, it seems good practice to control pointer coherence differently 
(see http://lwn.net/Articles/278137/ for an example).
So i'll probably update it anyway.

Original comment by yann.col...@gmail.com on 9 Dec 2012 at 11:12

GoogleCodeExporter commented 8 years ago 
Cannot happen on a modern OS (BSD/Linux/*nix/Windows)

Original comment by yann.col...@gmail.com on 30 Mar 2013 at 10:04