coreboot-kgpe-d16/util/cbfstool/lz4/lib
Alex Rebert 70282aece0 lz4: Fix out-of-bounds reads
Fix two out-of-bounds reads in lz4 decompression:

1) LZ4_decompress_generic could read one byte past the input buffer when
decoding variable length literals due to a missing bounds check. This
issue was resolved in libpayload, commonlib and cbfstool

2) ulz4fn could read up to 4 bytes past the input buffer when reading a
lz4_block_header due to a missing bounds check. This issue was resolved
in libpayload and commonlib.

Change-Id: I5afdf7e1d43ecdb06c7b288be46813c1017569fc
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39174
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2020-03-02 15:03:03 +00:00
..
LICENSE
Makefile
README.md
liblz4.pc.in cbfs: Add LZ4 in-place decompression support for pre-RAM stages 2016-02-22 21:38:37 +01:00
lz4.c
lz4.h
lz4frame.c
lz4frame.h
lz4frame_static.h
lz4hc.c
lz4hc.h
xxhash.c
xxhash.h

README.md

LZ4 - Library Files

The lib directory contains several files, but you don't necessarily need them all.

To integrate fast LZ4 compression/decompression into your program, you basically just need "lz4.c" and "lz4.h".

For more compression at the cost of compression speed (while preserving decompression speed), use lz4hc on top of regular lz4. lz4hc only provides compression functions. It also needs lz4 to compile properly.

If you want to produce files or data streams compatible with lz4 command line utility, use lz4frame. This library encapsulates lz4-compressed blocks into the official interoperable frame format. In order to work properly, lz4frame needs lz4 and lz4hc, and also xxhash, which provides error detection algorithm. (Advanced stuff : It's possible to hide xxhash symbols into a local namespace. This is what liblz4 does, to avoid symbol duplication in case a user program would link to several libraries containing xxhash symbols.)

A more complex "lz4frame_static.h" is also provided, although its usage is not recommended. It contains definitions which are not guaranteed to remain stable within future versions. Use for static linking only.

The other files are not source code. There are :

  • LICENSE : contains the BSD license text
  • Makefile : script to compile or install lz4 library (static or dynamic)
  • liblz4.pc.in : for pkg-config (make install)