Possible array overrun in lzma_reset()
From: Jesper Juhl
Date: Sat Jan 22 2011 - 15:40:42 EST
Hi,
The Covery prevent checker noticed that there's a buffer overrun in
lib/xz/xz_dec_lzma2.c::lzma_reset() :
...
778 /*
779 * All probabilities are initialized to the same value. This hack
780 * makes the code smaller by avoiding a separate loop for each
781 * probability array.
782 *
783 * This could be optimized so that only that part of literal
784 * probabilities that are actually required. In the common case
785 * we would write 12 KiB less.
786 */
Event ptr_assign: Pointer "probs" is assigned the address of a static array pointer "&s->lzma.is_match[0]" of size 32 bytes.
787 probs = s->lzma.is_match[0];
At conditional (1): "i < 14134UL" taking true path
At conditional (2): "i < 14134UL" taking true path
At conditional (3): "i < 14134UL" taking true path
788 for (i = 0; i < PROBS_TOTAL; ++i)
Event overrun-local: Overrunning static array of size 32 bytes at byte position 28266 by indexing pointer "probs" with index variable "i".
Event overrun-local: Note: These bugs are often difficult to see at first glance. Coverity recommends a close inspection of the events leading to this overrun.
789 probs[i] = RC_BIT_MODEL_TOTAL / 2;
...
I looked into the report and found that 's->lzma.is_match' is
uint16_t is_match[STATES][POS_STATES_MAX]
where 'STATES' is '#define STATES 12' and 'POS_STATES_MAX' is '#define POS_STATES_MAX (1 << 4)'.
So I think the checker has a point. However, I'm not familiar enough with
this code to know what the proper fix is, so I just thought I'd report it
to the proper people.
Happy bug fixing :-)
--
Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/