Its a integer overflow vulnerability in LZ4 ‘lz4.c’. if we see the patch at https://code.google.com/p/lz4/source/diff?spec=svn119&r=119&format=side&path=/trunk/lz4.c
they have added following conditions:
| /* overflow detection */ | |||
| 926 | if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)(op))) goto _output_error; /* quickfix issue 134 */ | ||
|---|---|---|---|
| 927 | if ((endOnInput) && (sizeof(void*)==4) && unlikely((size_t)(ip+length)<(size_t)(ip))) goto _output_error; /* quickfix issue 134 */ |
| //if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */ | |||
| 967 | if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)op)) goto _output_error; /* quickfix issue 134 */ |
|---|
as you may have figured out, we are adding some value to variable ip and then we are checking if some is less then the value of ip. this will be only true in case of integer overflow.simillar check is added for op variable.
Thanks,
Hardik
Hardik05's Blog 