Don't memzero() the history buffer when initializing LZ

decoder. There's no danger of information leak here, so
it isn't required. Doing memzero() takes a lot of time
with large dictionaries, which could make it easier to
construct DoS attack to consume too much CPU time.

diff --git a/src/liblzma/lz/lz_decoder.c b/src/liblzma/lz/lz_decoder.c
index 9c110de..92aaff6 100644 (file)
--- a/src/liblzma/lz/lz_decoder.c
+++ b/src/liblzma/lz/lz_decoder.c
@@ -429,10 +429,9 @@ lzma_lz_decoder_reset(lzma_lz_decoder *lz, lzma_allocator *allocator,
                        return LZMA_MEM_ERROR;
        }
 
-       // Clean up the buffers to make it very sure that there are
-       // no information leaks when multiple steams are decoded
-       // with the same decoder structures.
-       memzero(lz->dict, dict_real_size);
+       // Clean up the temporary buffer to make it very sure that there are
+       // no information leaks when multiple steams are decoded with the
+       // same decoder structures.
        memzero(lz->temp, LZMA_BUFFER_SIZE);
 
        // Reset the variables so that lz_get_byte(lz, 0) will return '\0'.