lzop: add overflow check

See CVE-2014-4607
http://www.openwall.com/lists/oss-security/2014/06/26/20

function                                             old     new   delta
lzo1x_decompress_safe                               1010    1031     +21

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3)

diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
index 843997cb9cfe5969bd30b0db2f602844f27a8b74..4596620fee23e65e1969c58966014a462e516839 100644 (file)
--- a/archival/libarchive/liblzo.h
+++ b/archival/libarchive/liblzo.h
@@ -76,11 +76,13 @@
 #    define TEST_IP             (ip < ip_end)
 #    define NEED_IP(x) \
             if ((unsigned)(ip_end - ip) < (unsigned)(x))  goto input_overrun
+#    define TEST_IV(x)          if ((x) > (unsigned)0 - (511)) goto input_overrun
 
 #    undef TEST_OP              /* don't need both of the tests here */
 #    define TEST_OP             1
 #    define NEED_OP(x) \
             if ((unsigned)(op_end - op) < (unsigned)(x))  goto output_overrun
+#    define TEST_OV(x)          if ((x) > (unsigned)0 - (511)) goto output_overrun
 
 #define HAVE_ANY_OP 1
 

diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
index 9bc1270da81f18018861b188893a3e2a6205bcc0..40b167e688e2218b0333f917c060630238afb5b9 100644 (file)
--- a/archival/libarchive/lzo1x_d.c
+++ b/archival/libarchive/lzo1x_d.c
@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
                                ip++;
                                NEED_IP(1);
                        }
+                       TEST_IV(t);
                        t += 15 + *ip++;
                }
                /* copy literals */
@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
                                                ip++;
                                                NEED_IP(1);
                                        }
+                                       TEST_IV(t);
                                        t += 31 + *ip++;
                                }
 #if defined(COPY_DICT)
@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
                                                ip++;
                                                NEED_IP(1);
                                        }
+                                       TEST_IV(t);
                                        t += 7 + *ip++;
                                }
 #if defined(COPY_DICT)