From: W. Felix Handte <w@felixhandte.com>
Date: Thu, 18 Jul 2019 16:41:12 +0000 (-0400)
Subject: Fix Data Corruption Bug when Streaming with an Attached Dict in HC Mode
X-Git-Tag: upstream/1.9.3~2^2~10^2~7
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=369fb3900cbc73543f1bab276ca1b82abe402937;p=platform%2Fupstream%2Flz4.git

Fix Data Corruption Bug when Streaming with an Attached Dict in HC Mode

This diff fixes an issue in which we failed to clear the `dictCtx` in HC
compression. The `dictCtx` is not supposed to be used when an `extDict` is
present: matches found in the `dictCtx` do not account for the presence of an
`extDict` segment, and their offsets are therefore miscalculated when one is
present. This can lead to data corruption.

This diff clears the `dictCtx` whenever setting an `extDict`.

This issue was uncovered by @terrelln's fuzzing work.
---

diff --git a/lib/lz4hc.c b/lib/lz4hc.c
index 46c20bc..d9e55a0 100644
--- a/lib/lz4hc.c
+++ b/lib/lz4hc.c
@@ -998,6 +998,11 @@ static void LZ4HC_setExternalDict(LZ4HC_CCtx_internal* ctxPtr, const BYTE* newBl
     if (ctxPtr->end >= ctxPtr->base + ctxPtr->dictLimit + 4)
         LZ4HC_Insert (ctxPtr, ctxPtr->end-3);   /* Referencing remaining dictionary content */
 
+    /* cannot reference an extDict and a dictCtx at the same time */
+    if (ctxPtr->dictCtx != NULL) {
+        ctxPtr->dictCtx = NULL;
+    }
+
     /* Only one memory segment for extDict, so any previous extDict is lost at this stage */
     ctxPtr->lowLimit  = ctxPtr->dictLimit;
     ctxPtr->dictLimit = (U32)(ctxPtr->end - ctxPtr->base);