On Wed, Dec 12, 2018 at 07:03:14AM +0000, Yueyi Li wrote: > It`s possible ip overrun in lzo1x_1_do_compress() when compressed page is > point to the end of memory and which virtual address is 0xfffffffffffff000. > Leading to a NULL pointer access during the get_unaligned_le32(ip). > > ip = x9 = 0x0000000000000009 is overflow. > > @@ -224,8 +224,8 @@ int lzo1x_1_compress(const unsigned char *in, size_t > in_len, > > while (l > 20) { > size_t ll = l <= (M4_MAX_OFFSET + 1) ? l : (M4_MAX_OFFSET + 1); > - uintptr_t ll_end = (uintptr_t) ip + ll; > - if ((ll_end + ((t + ll) >> 5)) <= ll_end) > + // check for address space wraparound > + if (((uintptr_t) ip + ll + ((t + ll) >> 5)) <= (uintptr_t) ip) > break;
Please use the /* */ comment style and enhance the comment contents to be more descriptive what overflows and how. > BUILD_BUG_ON(D_SIZE * sizeof(lzo_dict_t) > > LZO1X_1_MEM_COMPRESS); > memset(wrkmem, 0, D_SIZE * sizeof(lzo_dict_t)); > -- > 2.7.4 >