Author: delphij
Date: Thu Feb 14 21:02:18 2013
New Revision: 246808
URL: http://svnweb.freebsd.org/changeset/base/246808
Log:
Eliminate real_LZ4_uncompress. It's unused and does not perform sufficient
check against input stream (i.e. it could read beyond specified input
buffer).
Modified:
head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c
Modified: head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c
==============================================================================
--- head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c Thu Feb 14
20:00:38 2013 (r246807)
+++ head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/lz4.c Thu Feb 14
21:02:18 2013 (r246808)
@@ -36,7 +36,6 @@
static int real_LZ4_compress(const char *source, char *dest, int isize,
int osize);
-static int real_LZ4_uncompress(const char *source, char *dest, int osize);
static int LZ4_compressBound(int isize);
static int LZ4_uncompress_unknownOutputSize(const char *source, char *dest,
int isize, int maxOutputSize);
@@ -104,16 +103,6 @@ lz4_decompress(void *s_start, void *d_st
* situations (input data not compressible) worst case size
* evaluation is provided by function LZ4_compressBound().
*
- * real_LZ4_uncompress() :
- * osize : is the output size, therefore the original size
- * return : the number of bytes read in the source buffer.
- * If the source stream is malformed, the function will stop
- * decoding and return a negative result, indicating the byte
- * position of the faulty instruction. This function never
- * writes beyond dest + osize, and is therefore protected
- * against malicious data packets.
- * note : destination buffer must be already allocated
- *
* Advanced Functions
*
* LZ4_compressBound() :
@@ -137,7 +126,6 @@ lz4_decompress(void *s_start, void *d_st
* maxOutputSize, and is therefore protected against malicious
* data packets.
* note : Destination buffer must be already allocated.
- * This version is slightly slower than real_LZ4_uncompress()
*
* LZ4_compressCtx() :
* This function explicitly handles the CTX memory structure.
@@ -879,128 +867,16 @@ real_LZ4_compress(const char *source, ch
/* Decompression functions */
/*
- * Note: The decoding functions real_LZ4_uncompress() and
- * LZ4_uncompress_unknownOutputSize() are safe against "buffer overflow"
- * attack type. They will never write nor read outside of the provided
- * output buffers. LZ4_uncompress_unknownOutputSize() also insures that
- * it will never read outside of the input buffer. A corrupted input
- * will produce an error result, a negative int, indicating the position
- * of the error within input stream.
+ * Note: The decoding functionLZ4_uncompress_unknownOutputSize() is safe
+ * against "buffer overflow" attack type. They will never write nor
+ * read outside of the provided output buffers.
+ * LZ4_uncompress_unknownOutputSize() also insures that it will never
+ * read outside of the input buffer. A corrupted input will produce
+ * an error result, a negative int, indicating the position of the
+ * error within input stream.
*/
static int
-real_LZ4_uncompress(const char *source, char *dest, int osize)
-{
- /* Local Variables */
- const BYTE *restrict ip = (const BYTE *) source;
- const BYTE *ref;
-
- BYTE *op = (BYTE *) dest;
- BYTE *const oend = op + osize;
- BYTE *cpy;
-
- unsigned token;
-
- size_t length;
- size_t dec32table[] = {0, 3, 2, 3, 0, 0, 0, 0};
-#if LZ4_ARCH64
- size_t dec64table[] = {0, 0, 0, (size_t)-1, 0, 1, 2, 3};
-#endif
-
- /* Main Loop */
- for (;;) {
- /* get runlength */
- token = *ip++;
- if ((length = (token >> ML_BITS)) == RUN_MASK) {
- size_t len;
- for (; (len = *ip++) == 255; length += 255) {
- }
- length += len;
- }
- /* copy literals */
- cpy = op + length;
- if unlikely(cpy > oend - COPYLENGTH) {
- if (cpy != oend)
- /* Error: we must necessarily stand at EOF */
- goto _output_error;
- (void) memcpy(op, ip, length);
- ip += length;
- break; /* EOF */
- }
- LZ4_WILDCOPY(ip, op, cpy);
- ip -= (op - cpy);
- op = cpy;
-
- /* get offset */
- LZ4_READ_LITTLEENDIAN_16(ref, cpy, ip);
- ip += 2;
- if unlikely(ref < (BYTE * const) dest)
- /*
- * Error: offset create reference outside destination
- * buffer
- */
- goto _output_error;
-
- /* get matchlength */
- if ((length = (token & ML_MASK)) == ML_MASK) {
- for (; *ip == 255; length += 255) {
- ip++;
- }
- length += *ip++;
- }
- /* copy repeated sequence */
- if unlikely(op - ref < STEPSIZE) {
-#if LZ4_ARCH64
- size_t dec64 = dec64table[op-ref];
-#else
- const int dec64 = 0;
-#endif
- op[0] = ref[0];
- op[1] = ref[1];
- op[2] = ref[2];
- op[3] = ref[3];
- op += 4;
- ref += 4;
- ref -= dec32table[op-ref];
- A32(op) = A32(ref);
- op += STEPSIZE - 4;
- ref -= dec64;
- } else {
- LZ4_COPYSTEP(ref, op);
- }
- cpy = op + length - (STEPSIZE - 4);
- if (cpy > oend - COPYLENGTH) {
- if (cpy > oend)
- /*
- * Error: request to write beyond destination
- * buffer
- */
- goto _output_error;
- LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH));
- while (op < cpy)
- *op++ = *ref++;
- op = cpy;
- if (op == oend)
- /*
- * Check EOF (should never happen, since last
- * 5 bytes are supposed to be literals)
- */
- goto _output_error;
- continue;
- }
- LZ4_SECURECOPY(ref, op, cpy);
- op = cpy; /* correction */
- }
-
- /* end of decoding */
- return (int)(((char *)ip) - source);
-
- /* write overflow error detected */
- _output_error:
- return (int)(-(((char *)ip) - source));
-}
-
-static int
LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize,
int maxOutputSize)
{
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
