From f94da15120c3d3c363ca12c2262ac6cb9f321f4f Mon Sep 17 00:00:00 2001 From: Lasse Collin Date: Fri, 9 Sep 2022 13:51:57 +0300 Subject: liblzma: lzma_filters_copy: Keep dest[] unmodified if an error occurs. lzma_stream_encoder() and lzma_stream_encoder_mt() always assumed this. Before this patch, failing lzma_filters_copy() could result in free(invalid_pointer) or invalid memory reads in stream_encoder.c or stream_encoder_mt.c. To trigger this, allocating memory for a filter options structure has to fail. These are tiny allocations so in practice they very rarely fail. Certain badness in the filter chain array could also make lzma_filters_copy() fail but both stream_encoder.c and stream_encoder_mt.c validate the filter chain before trying to copy it, so the crash cannot occur this way. --- src/liblzma/api/lzma/filter.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/liblzma/api') diff --git a/src/liblzma/api/lzma/filter.h b/src/liblzma/api/lzma/filter.h index 8c859314..04825c65 100644 --- a/src/liblzma/api/lzma/filter.h +++ b/src/liblzma/api/lzma/filter.h @@ -108,7 +108,9 @@ extern LZMA_API(lzma_bool) lzma_filter_decoder_is_supported(lzma_vli id) * need to be initialized by the caller in any way. * * If an error occurs, memory possibly already allocated by this function - * is always freed. + * is always freed. liblzma versions older than 5.2.7 may modify the dest + * array and leave its contents in an undefined state if an error occurs. + * liblzma 5.2.7 and newer only modify the dest array when returning LZMA_OK. * * \return - LZMA_OK * - LZMA_MEM_ERROR -- cgit v1.2.3