mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
6f77b376d4
We had output[output_pos - distance]; where output_pos and distance are size_t and distance can be greater than output_pos (because it refers to a place in the previous block). The underflow is defined, leading to a big number, and when sizeof(size_t) == sizeof(*uint8_t) the subsequent overflow works as expected. But if size_t is smaller than a pointer, bad things will happen. This was found by OSSFuzz with 'UBSAN_OPTIONS=print_stacktrace=1:silence_unsigned_overflow=1'. Credit to OSSFuzz. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> |
||
---|---|---|
.. | ||
tests | ||
lzxpress_huffman.c | ||
lzxpress_huffman.h | ||
lzxpress.c | ||
lzxpress.h | ||
wscript_build |