Security: LZ4_uncompress can crash on invalid input #3

Amrnasr / lz4

Automatically exported from code.google.com/p/lz4

0 stars 0 forks source link

Security: LZ4_uncompress can crash on invalid input #3 #53

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

In LZ4_uncompress, by making a specially crafted input with a very large match 
length, such that 'length' wraps, it's possible to make 'cpy' point at NULL:

cpy = op + length - (STEPSIZE-4); // cpy can now be NULL if length = -(int)op.

The function will then crash later on.

Original issue reported on code.google.com by strig...@gmail.com on 5 Dec 2012 at 7:59

GoogleCodeExporter commented 8 years ago

Same comment as issue 52.

Original comment by yann.col...@gmail.com on 6 Dec 2012 at 1:31

GoogleCodeExporter commented 8 years ago

Merged into issue 52

Original comment by yann.col...@gmail.com on 6 Dec 2012 at 1:35

Changed state: Invalid