This repository was archived by the owner on Mar 1, 2024. It is now read-only.
Tags: intel/zlib
Tags
default_medium: avoid out-of-bounds read The `match` pointer can be dereferenced outside the `s->window` buffer, so add a boundary check to avoid the issue. The issue was detected with valgrind. For example, running `gzip FILE` with valgrind on Clear Linux OS for a FILE that reproduces the issue: ==1610872== Thread 3: ==1610872== Invalid read of size 1 ==1610872== at 0x49E9A98: fizzle_matches (deflate_medium.c:150) ==1610872== by 0x49E9A98: deflate_medium (deflate_medium.c:281) ==1610872== by 0x49EC1E7: deflate (deflate.c:1015) ==1610872== by 0x1195D8: UnknownInlinedFun (pigz.c:1602) ==1610872== by 0x1195D8: compress_thread (pigz.c:1752) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) ==1610872== Address 0x4c6369f is 1 bytes before a block of size 65,552 alloc'd ==1610872== at 0x48447DA: malloc (vg_replace_malloc.c:380) ==1610872== by 0x49EAB4C: deflateInit2_ (deflate.c:319) ==1610872== by 0x11933D: compress_thread (pigz.c:1637) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) The out-of-bounds check for `orig` has been added for completeness.
default_medium: avoid out-of-bounds read The `match` pointer can be dereferenced outside the `s->window` buffer, so add a boundary check to avoid the issue. The issue was detected with valgrind. For example, running `gzip FILE` with valgrind on Clear Linux OS for a FILE that reproduces the issue: ==1610872== Thread 3: ==1610872== Invalid read of size 1 ==1610872== at 0x49E9A98: fizzle_matches (deflate_medium.c:150) ==1610872== by 0x49E9A98: deflate_medium (deflate_medium.c:281) ==1610872== by 0x49EC1E7: deflate (deflate.c:1015) ==1610872== by 0x1195D8: UnknownInlinedFun (pigz.c:1602) ==1610872== by 0x1195D8: compress_thread (pigz.c:1752) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) ==1610872== Address 0x4c6369f is 1 bytes before a block of size 65,552 alloc'd ==1610872== at 0x48447DA: malloc (vg_replace_malloc.c:380) ==1610872== by 0x49EAB4C: deflateInit2_ (deflate.c:319) ==1610872== by 0x11933D: compress_thread (pigz.c:1637) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) The out-of-bounds check for `orig` has been added for completeness.
default_medium: avoid out-of-bounds read The `match` pointer can be dereferenced outside the `s->window` buffer, so add a boundary check to avoid the issue. The issue was detected with valgrind. For example, running `gzip FILE` with valgrind on Clear Linux OS for a FILE that reproduces the issue: ==1610872== Thread 3: ==1610872== Invalid read of size 1 ==1610872== at 0x49E9A98: fizzle_matches (deflate_medium.c:150) ==1610872== by 0x49E9A98: deflate_medium (deflate_medium.c:281) ==1610872== by 0x49EC1E7: deflate (deflate.c:1015) ==1610872== by 0x1195D8: UnknownInlinedFun (pigz.c:1602) ==1610872== by 0x1195D8: compress_thread (pigz.c:1752) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) ==1610872== Address 0x4c6369f is 1 bytes before a block of size 65,552 alloc'd ==1610872== at 0x48447DA: malloc (vg_replace_malloc.c:380) ==1610872== by 0x49EAB4C: deflateInit2_ (deflate.c:319) ==1610872== by 0x11933D: compress_thread (pigz.c:1637) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) The out-of-bounds check for `orig` has been added for completeness.
default_medium: avoid out-of-bounds read The `match` pointer can be dereferenced outside the `s->window` buffer, so add a boundary check to avoid the issue. The issue was detected with valgrind. For example, running `gzip FILE` with valgrind on Clear Linux OS for a FILE that reproduces the issue: ==1610872== Thread 3: ==1610872== Invalid read of size 1 ==1610872== at 0x49E9A98: fizzle_matches (deflate_medium.c:150) ==1610872== by 0x49E9A98: deflate_medium (deflate_medium.c:281) ==1610872== by 0x49EC1E7: deflate (deflate.c:1015) ==1610872== by 0x1195D8: UnknownInlinedFun (pigz.c:1602) ==1610872== by 0x1195D8: compress_thread (pigz.c:1752) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) ==1610872== Address 0x4c6369f is 1 bytes before a block of size 65,552 alloc'd ==1610872== at 0x48447DA: malloc (vg_replace_malloc.c:380) ==1610872== by 0x49EAB4C: deflateInit2_ (deflate.c:319) ==1610872== by 0x11933D: compress_thread (pigz.c:1637) ==1610872== by 0x11AFD1: ignition (yarn.c:253) ==1610872== by 0x49CB50E: start_thread (pthread_create.c:481) ==1610872== by 0x4B43B02: clone (in /usr/lib64/haswell/libc-2.33.so) The out-of-bounds check for `orig` has been added for completeness.
deflate_medium: avoid emitting a suboptimal literal in the restart case When we load new data into the window, we invalidate the next match, in case the match would improve. In this case, the hash has already been updated with this data, so when we look for a new match it will point it back at itself. As a result, a literal is generated even when a better match is available. This avoids that by catching this case and ensuring we're looking at the past.
infcover: remove OoM test for SetDictionary since we don't lazy alloc window anymore
PreviousNext