[PATCH] lz4: fix LZ4_decompress_safe_partial read out of bound
From: Guo Xuenan
Date: Thu Nov 11 2021 - 02:11:22 EST
When partialDecoding, it is EOF if we've either, filled the output
buffer or can't proceed with reading an offset for following match.
As reported by KASAN[1], LZ4_decompress_safe_partial may lead
to erofs decoding read out of bound. Fortunately, lz4 upstream has
fixed it [2]. current decompression routine was ported from lz4 v1.8.3,
so, we can fix it, before bumping lib/lz4 to v1.9.+.
[1] https://syzkaller.appspot.com/bug?extid=63d688f1d899c588fb71
[2] https://github.com/lz4/lz4/commit/c5d6f8a8be3927c0bec91bcc58667a6cfad244ad#
Reported-by: syzbot+63d688f1d899c588fb71@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: hsiangkao@xxxxxxxxxxxxxxxxx
Cc: terrelln@xxxxxx
Cc: cyan@xxxxxx
Cc: cy.fan@xxxxxxxxxx
Signed-off-by: Guo Xuenan <guoxuenan@xxxxxxxxxx>
---
lib/lz4/lz4_decompress.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 926f4823d5ea..fd1728d94bab 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -271,8 +271,12 @@ static FORCE_INLINE int LZ4_decompress_generic(
ip += length;
op += length;
- /* Necessarily EOF, due to parsing restrictions */
- if (!partialDecoding || (cpy == oend))
+ /* Necessarily EOF when !partialDecoding.
+ * When partialDecoding, it is EOF if we've either
+ * filled the output buffer or
+ * can't proceed with reading an offset for following match.
+ */
+ if (!partialDecoding || (cpy == oend) || (ip >= (iend - 2)))
break;
} else {
/* may overwrite up to WILDCOPYLENGTH beyond cpy */
--
2.31.1