mirror of
https://github.com/microsoft/vcpkg.git
synced 2024-12-02 13:08:36 +08:00
2666deec0c
* [lz4] Patch for CVE-2021-3520 See https://nvd.nist.gov/vuln/detail/CVE-2021-3520 for more details This is the upstream patch by Jasper Lievisse Adriaanse. "Fix potential memory corruption with negative memmove() size" https://github.com/lz4/lz4/pull/972 * Added license to lz4/vcpkg.json
27 lines
757 B
Diff
Executable File
27 lines
757 B
Diff
Executable File
From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
|
|
From: Jasper Lievisse Adriaanse <j@jasper.la>
|
|
Date: Fri, 26 Feb 2021 15:21:20 +0100
|
|
Subject: [PATCH 001/120] Fix potential memory corruption with negative
|
|
memmove() size
|
|
|
|
---
|
|
lib/lz4.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/lz4.c b/lib/lz4.c
|
|
index 5f524d0..c2f504e 100644
|
|
--- a/lib/lz4.c
|
|
+++ b/lib/lz4.c
|
|
@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
|
|
const size_t dictSize /* note : = 0 if noDict */
|
|
)
|
|
{
|
|
- if (src == NULL) { return -1; }
|
|
+ if ((src == NULL) || (outputSize < 0)) { return -1; }
|
|
|
|
{ const BYTE* ip = (const BYTE*) src;
|
|
const BYTE* const iend = ip + srcSize;
|
|
--
|
|
2.36.1
|
|
|