From 9143a6c55ef7e8f630857cb08c03844d372c2345 Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Mon, 4 Aug 2014 13:43:03 +0200
Subject: [PATCH] lz4: check for underruns

While overruns are already being taken care of, underruns (resulting
from overflows in the respective "op + length" (or similar) operations
weren't.

This is CVE-2014-4611.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---
 xen/common/lz4/decompress.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/xen/common/lz4/decompress.c b/xen/common/lz4/decompress.c
index 40b33814b6..5cf8f37711 100644
--- a/xen/common/lz4/decompress.c
+++ b/xen/common/lz4/decompress.c
@@ -84,6 +84,8 @@ static int INIT lz4_uncompress(const unsigned char *source, unsigned char *dest,
 			ip += length;
 			break; /* EOF */
 		}
+		if (unlikely((unsigned long)cpy < (unsigned long)op))
+			goto _output_error;
 		LZ4_WILDCOPY(ip, op, cpy);
 		ip -= (op - cpy);
 		op = cpy;
@@ -142,6 +144,8 @@ static int INIT lz4_uncompress(const unsigned char *source, unsigned char *dest,
 				goto _output_error;
 			continue;
 		}
+		if (unlikely((unsigned long)cpy < (unsigned long)op))
+			goto _output_error;
 		LZ4_SECURECOPY(ref, op, cpy);
 		op = cpy; /* correction */
 	}
@@ -207,6 +211,8 @@ static int lz4_uncompress_unknownoutputsize(const unsigned char *source,
 			op += length;
 			break;/* Necessarily EOF, due to parsing restrictions */
 		}
+		if (unlikely((unsigned long)cpy < (unsigned long)op))
+			goto _output_error;
 		LZ4_WILDCOPY(ip, op, cpy);
 		ip -= (op - cpy);
 		op = cpy;
@@ -270,6 +276,8 @@ static int lz4_uncompress_unknownoutputsize(const unsigned char *source,
 				goto _output_error;
 			continue;
 		}
+		if (unlikely((unsigned long)cpy < (unsigned long)op))
+			goto _output_error;
 		LZ4_SECURECOPY(ref, op, cpy);
 		op = cpy; /* correction */
 	}
-- 
2.30.2