| Subject: | Improper return value |
| Date: | Wed, 22 Mar 2017 21:09:44 +0000 |
| To: | "bug-Compress-LZ4 [...] rt.cpan.org" <bug-Compress-LZ4 [...] rt.cpan.org> |
| From: | Bradley Freeman <bradley.freeman [...] nuspire.com> |
Hello,
Just a heads up, while debugging an implementation of this module, we discovered an issue that causes buffer overruns.
In LZ4.xs, the line
SvCUR_set(RETVAL, dest_len);
returns the dest_len as set by the user, and will return exactly the amount of bytes specified without any bounds checking, leading to access of memory regions outside the decompressed payload.
We've patched the module and the function now works as expected.
Diff of the patch:
--- ../Compress-LZ4-0.23/LZ4.xs 2017-03-22 17:07:25.879351053 -0400
+++ LZ4.xs 2017-03-22 16:35:46.351572641 -0400
@@ -111,7 +111,7 @@
SvREFCNT_dec(RETVAL);
XSRETURN_UNDEF;
}
- SvCUR_set(RETVAL, dest_len);
+ SvCUR_set(RETVAL, ret);
SvPOK_on(RETVAL);
OUTPUT:
RETVAL
Thanks and warm regards,
~Bradley
[https://ci6.googleusercontent.com/proxy/0_QAwjScSjmThChXCSdksXLRgmmTI-zh7Qe_xrQR2fRhA5nb9O1yYJ78mCfYyG-hV3-78M8BFv-nQG9TTVJP-cBzuV61CCbAbYRnVO8G2qDgr3PDyNBKOBchl2Qx742_Z-pdAG6saFfpWVtnpz4JZ0KSCiS31DGeKdlO1O0rHTFgJ8fbNsHg1ITm7WkzsftbfdeZBurJaGs6tKY=s0-d-e1-ft#https://docs.google.com/uc?export=download&id=0Bz_wOLH8CWd0TF81aFo2UTRCYjg&revid=0Bz_wOLH8CWd0YlJsbTNucWRoWVdxTDlOYi9LWG5JREpWMUk4PQ]
Bradley Freeman
Securities Engineer
bradley.freeman@nuspire.com<mailto:bradley.freeman@nuspire.com>
(513) 388-4500 ext. 8107