ckolivas/lrzip
1
0
Fork 0
mirror of https://github.com/ckolivas/lrzip.git synced 2026-01-06 00:20:05 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Cope with compressed length being longer than uncompressed and rounding up, attending to CVE-2017-8844.

Browse source
This commit is contained in:
Con Kolivas 2018-05-16 14:30:15 +10:00
parent d26970135c
commit dc57230636
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
stream.c
View file

@ -1564,7 +1564,7 @@ retry:
/* fill a buffer from a stream - return -1 on failure */
static int fill_buffer(rzip_control *control, struct stream_info *sinfo, int streamno)
{
i64 u_len, c_len, last_head, padded_len, header_length;
i64 u_len, c_len, last_head, padded_len, header_length, max_len;
uchar enc_head[25 + SALT_LEN], blocksalt[SALT_LEN];
struct stream *s = &sinfo->s[streamno];
stream_thread_struct *st;
@ -1639,7 +1639,9 @@ fill_another:
if (unlikely(u_len > control->maxram))
fatal_return(("Unable to malloc buffer of size %lld in this environment\n", u_len), -1);
s_buf = malloc(MAX(u_len, MIN_SIZE));
max_len = MAX(u_len, MIN_SIZE);
max_len = MAX(max_len, c_len);
s_buf = malloc(max_len);
if (unlikely(u_len && !s_buf))
fatal_return(("Unable to malloc buffer of size %lld in fill_buffer\n", u_len), -1);
sinfo->ram_alloced += u_len;