Re: [PATCH v3 1/2] lib: decompress_unzstd: Limit output size
From: Nick Terrell
Date: Tue Sep 01 2020 - 18:42:34 EST
> On Sep 1, 2020, at 7:26 AM, Paul Cercueil <paul@xxxxxxxxxxxxxxx> wrote:
>
> The zstd decompression code, as it is right now, will most likely fail
> on 32-bit systems, as the default output buffer size causes the buffer's
> end address to overflow.
>
> Address this issue by setting a sane default to the default output size,
> with a value that won't overflow the buffer's end address.
>
> Signed-off-by: Paul Cercueil <paul@xxxxxxxxxxxxxxx>
> ---
>
> Notes:
> v2: Change limit to 1 GiB
>
> v3: Compute size limit instead of using hardcoded value
>
> lib/decompress_unzstd.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/lib/decompress_unzstd.c b/lib/decompress_unzstd.c
> index 0ad2c15479ed..790abc472f5b 100644
> --- a/lib/decompress_unzstd.c
> +++ b/lib/decompress_unzstd.c
> @@ -178,8 +178,13 @@ static int INIT __unzstd(unsigned char *in_buf, long in_len,
> int err;
> size_t ret;
>
> + /*
> + * ZSTD decompression code won't be happy if the buffer size is so big
> + * that its end address overflows. When the size is not provided, make
> + * it as big as possible without having the end address overflow.
> + */
> if (out_len == 0)
> - out_len = LONG_MAX; /* no limit */
> + out_len = UINTPTR_MAX - (uintptr_t)out_buf;
Great, that works for me. Thanks for fixing this!
Reviewed-by: Nick Terrell <terrelln@xxxxxx>
> if (fill == NULL && flush == NULL)
> /*
> --
> 2.28.0
>