Denys Vlasenko a9dc7c2f59 lzop: add overflow check
See CVE-2014-4607
http://www.openwall.com/lists/oss-security/2014/06/26/20

function                                             old     new   delta
lzo1x_decompress_safe                               1010    1031     +21

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2014-06-30 10:14:34 +02:00

424 lines
9.1 KiB
C

/* implementation of the LZO1X decompression algorithm
This file is part of the LZO real-time data compression library.
Copyright (C) 1996..2008 Markus Franz Xaver Johannes Oberhumer
All Rights Reserved.
Markus F.X.J. Oberhumer <markus@oberhumer.com>
http://www.oberhumer.com/opensource/lzo/
The LZO library is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of
the License, or (at your option) any later version.
The LZO library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with the LZO library; see the file COPYING.
If not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#include "libbb.h"
#include "liblzo.h"
/***********************************************************************
// decompress a block of data.
************************************************************************/
/* safe decompression with overrun testing */
int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
uint8_t* out, unsigned* out_len,
void* wrkmem UNUSED_PARAM)
{
register uint8_t* op;
register const uint8_t* ip;
register unsigned t;
#if defined(COPY_DICT)
unsigned m_off;
const uint8_t* dict_end;
#else
register const uint8_t* m_pos = NULL; /* possibly not needed */
#endif
const uint8_t* const ip_end = in + in_len;
#if defined(HAVE_ANY_OP)
uint8_t* const op_end = out + *out_len;
#endif
#if defined(LZO1Z)
unsigned last_m_off = 0;
#endif
// LZO_UNUSED(wrkmem);
#if defined(COPY_DICT)
if (dict) {
if (dict_len > M4_MAX_OFFSET) {
dict += dict_len - M4_MAX_OFFSET;
dict_len = M4_MAX_OFFSET;
}
dict_end = dict + dict_len;
} else {
dict_len = 0;
dict_end = NULL;
}
#endif /* COPY_DICT */
*out_len = 0;
op = out;
ip = in;
if (*ip > 17) {
t = *ip++ - 17;
if (t < 4)
goto match_next;
assert(t > 0); NEED_OP(t); NEED_IP(t+1);
do *op++ = *ip++; while (--t > 0);
goto first_literal_run;
}
while (TEST_IP && TEST_OP) {
t = *ip++;
if (t >= 16)
goto match;
/* a literal run */
if (t == 0) {
NEED_IP(1);
while (*ip == 0) {
t += 255;
ip++;
NEED_IP(1);
}
TEST_IV(t);
t += 15 + *ip++;
}
/* copy literals */
assert(t > 0);
NEED_OP(t+3);
NEED_IP(t+4);
#if defined(LZO_UNALIGNED_OK_4) || defined(LZO_ALIGNED_OK_4)
# if !defined(LZO_UNALIGNED_OK_4)
if (PTR_ALIGNED2_4(op, ip))
# endif
{
COPY4(op, ip);
op += 4;
ip += 4;
if (--t > 0) {
if (t >= 4) {
do {
COPY4(op, ip);
op += 4;
ip += 4;
t -= 4;
} while (t >= 4);
if (t > 0)
do *op++ = *ip++; while (--t > 0);
} else {
do *op++ = *ip++; while (--t > 0);
}
}
}
# if !defined(LZO_UNALIGNED_OK_4)
else
# endif
#endif
#if !defined(LZO_UNALIGNED_OK_4)
{
*op++ = *ip++;
*op++ = *ip++;
*op++ = *ip++;
do *op++ = *ip++; while (--t > 0);
}
#endif
first_literal_run:
t = *ip++;
if (t >= 16)
goto match;
#if defined(COPY_DICT)
#if defined(LZO1Z)
m_off = (1 + M2_MAX_OFFSET) + (t << 6) + (*ip++ >> 2);
last_m_off = m_off;
#else
m_off = (1 + M2_MAX_OFFSET) + (t >> 2) + (*ip++ << 2);
#endif
NEED_OP(3);
t = 3; COPY_DICT(t,m_off)
#else /* !COPY_DICT */
#if defined(LZO1Z)
t = (1 + M2_MAX_OFFSET) + (t << 6) + (*ip++ >> 2);
m_pos = op - t;
last_m_off = t;
#else
m_pos = op - (1 + M2_MAX_OFFSET);
m_pos -= t >> 2;
m_pos -= *ip++ << 2;
#endif
TEST_LB(m_pos); NEED_OP(3);
*op++ = *m_pos++;
*op++ = *m_pos++;
*op++ = *m_pos;
#endif /* COPY_DICT */
goto match_done;
/* handle matches */
do {
match:
if (t >= 64) { /* a M2 match */
#if defined(COPY_DICT)
#if defined(LZO1X)
m_off = 1 + ((t >> 2) & 7) + (*ip++ << 3);
t = (t >> 5) - 1;
#elif defined(LZO1Y)
m_off = 1 + ((t >> 2) & 3) + (*ip++ << 2);
t = (t >> 4) - 3;
#elif defined(LZO1Z)
m_off = t & 0x1f;
if (m_off >= 0x1c)
m_off = last_m_off;
else {
m_off = 1 + (m_off << 6) + (*ip++ >> 2);
last_m_off = m_off;
}
t = (t >> 5) - 1;
#endif
#else /* !COPY_DICT */
#if defined(LZO1X)
m_pos = op - 1;
m_pos -= (t >> 2) & 7;
m_pos -= *ip++ << 3;
t = (t >> 5) - 1;
#elif defined(LZO1Y)
m_pos = op - 1;
m_pos -= (t >> 2) & 3;
m_pos -= *ip++ << 2;
t = (t >> 4) - 3;
#elif defined(LZO1Z)
{
unsigned off = t & 0x1f;
m_pos = op;
if (off >= 0x1c) {
assert(last_m_off > 0);
m_pos -= last_m_off;
} else {
off = 1 + (off << 6) + (*ip++ >> 2);
m_pos -= off;
last_m_off = off;
}
}
t = (t >> 5) - 1;
#endif
TEST_LB(m_pos); assert(t > 0); NEED_OP(t+3-1);
goto copy_match;
#endif /* COPY_DICT */
}
else if (t >= 32) { /* a M3 match */
t &= 31;
if (t == 0) {
NEED_IP(1);
while (*ip == 0) {
t += 255;
ip++;
NEED_IP(1);
}
TEST_IV(t);
t += 31 + *ip++;
}
#if defined(COPY_DICT)
#if defined(LZO1Z)
m_off = 1 + (ip[0] << 6) + (ip[1] >> 2);
last_m_off = m_off;
#else
m_off = 1 + (ip[0] >> 2) + (ip[1] << 6);
#endif
#else /* !COPY_DICT */
#if defined(LZO1Z)
{
unsigned off = 1 + (ip[0] << 6) + (ip[1] >> 2);
m_pos = op - off;
last_m_off = off;
}
#elif defined(LZO_UNALIGNED_OK_2) && defined(LZO_ABI_LITTLE_ENDIAN)
m_pos = op - 1;
m_pos -= (* (const lzo_ushortp) ip) >> 2;
#else
m_pos = op - 1;
m_pos -= (ip[0] >> 2) + (ip[1] << 6);
#endif
#endif /* COPY_DICT */
ip += 2;
}
else if (t >= 16) { /* a M4 match */
#if defined(COPY_DICT)
m_off = (t & 8) << 11;
#else /* !COPY_DICT */
m_pos = op;
m_pos -= (t & 8) << 11;
#endif /* COPY_DICT */
t &= 7;
if (t == 0) {
NEED_IP(1);
while (*ip == 0) {
t += 255;
ip++;
NEED_IP(1);
}
TEST_IV(t);
t += 7 + *ip++;
}
#if defined(COPY_DICT)
#if defined(LZO1Z)
m_off += (ip[0] << 6) + (ip[1] >> 2);
#else
m_off += (ip[0] >> 2) + (ip[1] << 6);
#endif
ip += 2;
if (m_off == 0)
goto eof_found;
m_off += 0x4000;
#if defined(LZO1Z)
last_m_off = m_off;
#endif
#else /* !COPY_DICT */
#if defined(LZO1Z)
m_pos -= (ip[0] << 6) + (ip[1] >> 2);
#elif defined(LZO_UNALIGNED_OK_2) && defined(LZO_ABI_LITTLE_ENDIAN)
m_pos -= (* (const lzo_ushortp) ip) >> 2;
#else
m_pos -= (ip[0] >> 2) + (ip[1] << 6);
#endif
ip += 2;
if (m_pos == op)
goto eof_found;
m_pos -= 0x4000;
#if defined(LZO1Z)
last_m_off = pd((const uint8_t*)op, m_pos);
#endif
#endif /* COPY_DICT */
}
else { /* a M1 match */
#if defined(COPY_DICT)
#if defined(LZO1Z)
m_off = 1 + (t << 6) + (*ip++ >> 2);
last_m_off = m_off;
#else
m_off = 1 + (t >> 2) + (*ip++ << 2);
#endif
NEED_OP(2);
t = 2; COPY_DICT(t,m_off)
#else /* !COPY_DICT */
#if defined(LZO1Z)
t = 1 + (t << 6) + (*ip++ >> 2);
m_pos = op - t;
last_m_off = t;
#else
m_pos = op - 1;
m_pos -= t >> 2;
m_pos -= *ip++ << 2;
#endif
TEST_LB(m_pos); NEED_OP(2);
*op++ = *m_pos++;
*op++ = *m_pos;
#endif /* COPY_DICT */
goto match_done;
}
/* copy match */
#if defined(COPY_DICT)
NEED_OP(t+3-1);
t += 3-1; COPY_DICT(t,m_off)
#else /* !COPY_DICT */
TEST_LB(m_pos); assert(t > 0); NEED_OP(t+3-1);
#if defined(LZO_UNALIGNED_OK_4) || defined(LZO_ALIGNED_OK_4)
# if !defined(LZO_UNALIGNED_OK_4)
if (t >= 2 * 4 - (3 - 1) && PTR_ALIGNED2_4(op,m_pos)) {
assert((op - m_pos) >= 4); /* both pointers are aligned */
# else
if (t >= 2 * 4 - (3 - 1) && (op - m_pos) >= 4) {
# endif
COPY4(op,m_pos);
op += 4; m_pos += 4; t -= 4 - (3 - 1);
do {
COPY4(op,m_pos);
op += 4; m_pos += 4; t -= 4;
} while (t >= 4);
if (t > 0)
do *op++ = *m_pos++; while (--t > 0);
}
else
#endif
{
copy_match:
*op++ = *m_pos++; *op++ = *m_pos++;
do *op++ = *m_pos++; while (--t > 0);
}
#endif /* COPY_DICT */
match_done:
#if defined(LZO1Z)
t = ip[-1] & 3;
#else
t = ip[-2] & 3;
#endif
if (t == 0)
break;
/* copy literals */
match_next:
assert(t > 0);
assert(t < 4);
NEED_OP(t);
NEED_IP(t+1);
#if 0
do *op++ = *ip++; while (--t > 0);
#else
*op++ = *ip++;
if (t > 1) {
*op++ = *ip++;
if (t > 2)
*op++ = *ip++;
}
#endif
t = *ip++;
} while (TEST_IP && TEST_OP);
}
//#if defined(HAVE_TEST_IP) || defined(HAVE_TEST_OP)
/* no EOF code was found */
*out_len = pd(op, out);
return LZO_E_EOF_NOT_FOUND;
//#endif
eof_found:
assert(t == 1);
*out_len = pd(op, out);
return (ip == ip_end ? LZO_E_OK :
(ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN));
//#if defined(HAVE_NEED_IP)
input_overrun:
*out_len = pd(op, out);
return LZO_E_INPUT_OVERRUN;
//#endif
//#if defined(HAVE_NEED_OP)
output_overrun:
*out_len = pd(op, out);
return LZO_E_OUTPUT_OVERRUN;
//#endif
//#if defined(LZO_TEST_OVERRUN_LOOKBEHIND)
lookbehind_overrun:
*out_len = pd(op, out);
return LZO_E_LOOKBEHIND_OVERRUN;
//#endif
}