From: Yann Collet <cyan@fb.com>
Date: Tue, 9 Oct 2018 21:37:51 +0000 (-0700)
Subject: fixed #589
X-Git-Tag: upstream/1.9.3~5^2~58^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6902fa48925ed22cd37bb4262205437feb8d2420;p=platform%2Fupstream%2Flz4.git

fixed #589

following recommendations by @raggi.

The fix is slightly different, but achieves the same goal,
and is backed by a test tool which proves that it works
(generates the error before the patch, no longer after the patch).
---

diff --git a/lib/lz4frame.c b/lib/lz4frame.c
index e688f72..357f962 100644
--- a/lib/lz4frame.c
+++ b/lib/lz4frame.c
@@ -951,14 +951,18 @@ size_t LZ4F_compressEnd(LZ4F_cctx* cctxPtr,
 
     size_t const flushSize = LZ4F_flush(cctxPtr, dstBuffer, dstCapacity, compressOptionsPtr);
     if (LZ4F_isError(flushSize)) return flushSize;
-    assert(flushSize <= dstCapacity);
     dstPtr += flushSize;
 
+    assert(flushSize <= dstCapacity);
+    dstCapacity -= flushSize;
+
+    if (dstCapacity < 4) return err0r(LZ4F_ERROR_dstMaxSize_tooSmall);
     LZ4F_writeLE32(dstPtr, 0);
     dstPtr += 4;   /* endMark */
 
     if (cctxPtr->prefs.frameInfo.contentChecksumFlag == LZ4F_contentChecksumEnabled) {
         U32 const xxh = XXH32_digest(&(cctxPtr->xxh));
+        if (dstCapacity < 8) return err0r(LZ4F_ERROR_dstMaxSize_tooSmall);
         LZ4F_writeLE32(dstPtr, xxh);
         dstPtr+=4;   /* content Checksum */
     }