lz4 SIGSEGV in LZ4_decompress_generic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lz4 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Triaged
|
High
|
Unassigned | ||
Bionic |
Triaged
|
High
|
Unassigned | ||
Disco |
Won't Fix
|
High
|
Unassigned | ||
Eoan |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned |
Bug Description
Affected packages:
https:/
https:/
https:/
https:/
Non-Affected packages:
https:/
Description:
I got SIGSEGV with lz4, when trying to read a corrupted stream
No null ptr check of source in LZ4_decompress_
Description of problem:
No null ptr check of source in LZ4_decompress_
(gdb) bt
#0 0x00007ffff74ede70 in LZ4_decompress_
dest=
349830001\
349830001\
349830001\
outputSize=65536, endOnInput=1, partialDecoding=0, targetOutputSize=0,
dict=0,
lowPrefix=
349830001\
349830001\
349830001\
dictSize=0) at lz4.c:1157
#1 LZ4_decompress_safe (source=0x0,
dest=
349830001\
349830001\
349830001\
maxDecompressed
#2 0x00007ffff7560631 in LZ4F_decompress
dest=
349830001\
349830001\
349830001\
maxDecompressed
dictStart=
349830001\
349830001\
349830001\
lz4frame.c:957
#3 0x00007ffff755595b in LZ4F_decompress
(decompressionC
dstSizePtr=
srcSizePtr=
decompressO
Version-Release number of selected component (if applicable):
In lz4 from HEAD bug was fixed
https:/
tags: | added: rls-ff-incoming |
Changed in lz4 (Ubuntu): | |
importance: | Undecided → High |
status: | New → Triaged |
tags: | removed: rls-ff-incoming |
tags: | added: id-5dc458085d71d510ddb98b36 |
information type: | Public → Public Security |
Changed in lz4 (Ubuntu Focal): | |
status: | Triaged → Fix Released |
Changed in lz4 (Ubuntu Eoan): | |
status: | New → Fix Released |
Changed in lz4 (Ubuntu Disco): | |
status: | New → Won't Fix |
Changed in lz4 (Ubuntu Xenial): | |
assignee: | nobody → Brian Murray (brian-murray) |
Changed in lz4 (Ubuntu Bionic): | |
assignee: | nobody → Brian Murray (brian-murray) |
Changed in lz4 (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in lz4 (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in lz4 (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in lz4 (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in lz4 (Ubuntu Disco): | |
importance: | Undecided → High |
Changed in lz4 (Ubuntu Eoan): | |
importance: | Undecided → High |
Changed in lz4 (Ubuntu Xenial): | |
assignee: | Brian Murray (brian-murray) → nobody |
Changed in lz4 (Ubuntu Bionic): | |
assignee: | Brian Murray (brian-murray) → nobody |
Changed in lz4 (Ubuntu Xenial): | |
status: | In Progress → Triaged |
Changed in lz4 (Ubuntu Bionic): | |
status: | In Progress → Triaged |
Problem is more complex. When receive incomplete frame, decompression context need to be reset with LZ4F_resetDecom pressionContext (added in lz4 1.8.0).
I add simple port
void LZ4F_resetDecom pressionContext (LZ4F_dctx* dctx)
{
dctx->dStage = dstage_getHeader;
dctx->dict = NULL;
dctx->dictSize = 0;
}
And with first patch problem was solved.