On Wed, Dec 12, 2018 at 07:03:14AM +0000, Yueyi Li wrote:
> It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is
> point to the end of memory and which virtual address is 0xfffffffffffff000.
> Leading to a NULL pointer access during the get_unaligned_le32(ip).
>
> ip = x9 = 0x0000000000000009 is overflow.
>
> @@ -224,8 +224,8 @@ int lzo1x_1_compress(const unsigned char *in, size_t
> in_len,
>
> while (l > 20) {
> size_t ll = l <= (M4_MAX_OFFSET + 1) ? l : (M4_MAX_OFFSET + 1);
> - uintptr_t ll_end = (uintptr_t) ip + ll;
> - if ((ll_end + ((t + ll) >> 5)) <= ll_end)
> + // check for address space wraparound
> + if (((uintptr_t) ip + ll + ((t + ll) >> 5)) <= (uintptr_t) ip)
> break;
Please use the /* */ comment style and enhance the comment contents to
be more descriptive what overflows and how.
> BUILD_BUG_ON(D_SIZE * sizeof(lzo_dict_t) >
> LZO1X_1_MEM_COMPRESS);
> memset(wrkmem, 0, D_SIZE * sizeof(lzo_dict_t));
> --
> 2.7.4
>
