| commit | dd13b66bf582f49d3aec36e3410ff8541b7506da | |
| author | Lasse Collin <lasse.collin@tukaani.org> | |
| Mon, 28 May 2012 17:42:11 +0000 (28 20:42 +0300) | ||
| committer | Lasse Collin <lasse.collin@tukaani.org> | |
| Tue, 29 May 2012 09:54:47 +0000 (29 12:54 +0300) | ||
| tree | 6db6a5f58159bfb7ddbb61925f69c3abc4772a8f | treesnapshot (tar.gz zip) |
| parent | a0223bf796fdaad51a11ad02c4195c694849cc78 | commitdiff |
liblzma: Fix possibility of incorrect LZMA_BUF_ERROR.
lzma_code() could incorrectly return LZMA_BUF_ERROR if
all of the following was true:
- The caller knows how many bytes of output to expect
and only provides that much output space.
- When the last output bytes are decoded, the
caller-provided input buffer ends right before
the LZMA2 end of payload marker. So LZMA2 won't
provide more output anymore, but it won't know it
yet and thus won't return LZMA_STREAM_END yet.
- A BCJ filter is in use and it hasn't left any
unfiltered bytes in the temp buffer. This can happen
with any BCJ filter, but in practice it's more likely
with filters other than the x86 BCJ.
Another situation where the bug can be triggered happens
if the uncompressed size is zero bytes and no output space
is provided. In this case the decompression can fail even
if the whole input file is given to lzma_code().
A similar bug was fixed in XZ Embedded on 2011-09-19.
lzma_code() could incorrectly return LZMA_BUF_ERROR if
all of the following was true:
- The caller knows how many bytes of output to expect
and only provides that much output space.
- When the last output bytes are decoded, the
caller-provided input buffer ends right before
the LZMA2 end of payload marker. So LZMA2 won't
provide more output anymore, but it won't know it
yet and thus won't return LZMA_STREAM_END yet.
- A BCJ filter is in use and it hasn't left any
unfiltered bytes in the temp buffer. This can happen
with any BCJ filter, but in practice it's more likely
with filters other than the x86 BCJ.
Another situation where the bug can be triggered happens
if the uncompressed size is zero bytes and no output space
is provided. In this case the decompression can fail even
if the whole input file is given to lzma_code().
A similar bug was fixed in XZ Embedded on 2011-09-19.
| src/liblzma/simple/simple_coder.c | diffblobblamehistory | |
| tests/Makefile.am | diffblobblamehistory | |
| tests/test_bcj_exact_size.c | [new file with mode: 0644] | blob |