Re: [PATCH v5 02/12] crypto: acomp - Define new interfaces for compress/decompress batching.

[Herbert Xu]

On Sat, Feb 22, 2025 at 11:27:49PM +0900, Sergey Senozhatsky wrote:
>
> So I didn't look at all of them, but at least S/W lzo1 doesn't even
> have a notion of max-output-len.  lzo1x_1_compress() accepts a pointer
> to out_len which tells the size of output stream (the algorithm is free
> to produce any), so there is no dst_buf overflow as far as lzo1 is
> concerned.  Unless I'm missing something or misunderstanding your points.

I just looked at deflate/zstd and they seem to be doing the right
things.

But yes lzo is a gaping security hole on the compression side.

The API has always specified a maximum output length and it needs
to be respected for both compression and decompression.

Cheers,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt