diff options
author | Lasse Collin <lasse.collin@tukaani.org> | 2022-09-09 13:51:57 +0300 |
---|---|---|
committer | Lasse Collin <lasse.collin@tukaani.org> | 2022-09-17 00:22:11 +0300 |
commit | f94da15120c3d3c363ca12c2262ac6cb9f321f4f (patch) | |
tree | 01750d0525bb53361270dc98e8827961fb6d3a57 /src/liblzma/lzma/lzma_decoder.c | |
parent | Tests: Add a test file for lzma_index_append() integer overflow bug. (diff) | |
download | xz-f94da15120c3d3c363ca12c2262ac6cb9f321f4f.tar.xz |
liblzma: lzma_filters_copy: Keep dest[] unmodified if an error occurs.
lzma_stream_encoder() and lzma_stream_encoder_mt() always assumed
this. Before this patch, failing lzma_filters_copy() could result
in free(invalid_pointer) or invalid memory reads in stream_encoder.c
or stream_encoder_mt.c.
To trigger this, allocating memory for a filter options structure
has to fail. These are tiny allocations so in practice they very
rarely fail.
Certain badness in the filter chain array could also make
lzma_filters_copy() fail but both stream_encoder.c and
stream_encoder_mt.c validate the filter chain before
trying to copy it, so the crash cannot occur this way.
Diffstat (limited to 'src/liblzma/lzma/lzma_decoder.c')
0 files changed, 0 insertions, 0 deletions