[illumos-gate merge]

commit 58d0718061c87e3d647c891ec5281b93c08dba4e 4936 lz4 could theoretically overflow a pointer with a certain input
author: Keith M Wesolowski <wesolows@foobazco.org> 2014-06-26 22:33:35 +0000
committer: Keith M Wesolowski <wesolows@foobazco.org> 2014-06-26 22:33:35 +0000
commit: dfb423e13dce7c91059cc1b29429e326d6737ba3 (patch)
tree: 89e9dfad4f452759f5df0bb0a424d7550d468075 /usr/src/grub
parent: b93eaeec23936341489bb38d92e74dbd01d307c0 (diff)
parent: 58d0718061c87e3d647c891ec5281b93c08dba4e (diff)
download: illumos-joyent-dfb423e13dce7c91059cc1b29429e326d6737ba3.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/usr/src/grub/grub-0.97/stage2/zfs_lz4.c b/usr/src/grub/grub-0.97/stage2/zfs_lz4.c
index 42c03f9135..6d94111538 100644
--- a/usr/src/grub/grub-0.97/stage2/zfs_lz4.c
+++ b/usr/src/grub/grub-0.97/stage2/zfs_lz4.c
@@ -214,6 +214,9 @@ LZ4_uncompress_unknownOutputSize(const char *source,
 		}
 		/* copy literals */
 		cpy = op + length;
+		/* CORNER-CASE: cpy might overflow. */
+		if (cpy < op)
+			goto _output_error;	/* cpy was overflowed, bail! */
 		if ((cpy > oend - COPYLENGTH) ||
 		    (ip + length > iend - COPYLENGTH)) {
 			if (cpy > oend)
author	Keith M Wesolowski <wesolows@foobazco.org>	2014-06-26 22:33:35 +0000
committer	Keith M Wesolowski <wesolows@foobazco.org>	2014-06-26 22:33:35 +0000
commit	dfb423e13dce7c91059cc1b29429e326d6737ba3 (patch)
tree	89e9dfad4f452759f5df0bb0a424d7550d468075 /usr/src/grub
parent	b93eaeec23936341489bb38d92e74dbd01d307c0 (diff)
parent	58d0718061c87e3d647c891ec5281b93c08dba4e (diff)
download	illumos-joyent-dfb423e13dce7c91059cc1b29429e326d6737ba3.tar.gz