CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

lz4: fix CVE-2025-62813

Browse Source 
Prevent attackers to cause a denial of service (application crash) or
possibly have unspecified other impact when the application processes
untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in
lib/lz4frame.c mishandles NULL checks.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62813

Upstream patch:
f64efec011

(From OE-Core rev: 0a63e3e120cc6958e2963a3ad510ec7c03f1adae)

Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
David Nyström 2025-10-27 20:54:48 +01:00 committed by Steve Sakoman
parent 4a784d7f74
commit b45fdb365d
2 changed files with 76 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
meta/recipes-support/lz4/files/CVE-2025-62813.patch Normal file
View File

@ -0,0 +1,73 @@
From 10dbd089b74cf858a24a4aa4c2a438984ddf17d7 Mon Sep 17 00:00:00 2001
From: louislafosse <louis.lafosse@epitech.eu>
Date: Mon, 31 Mar 2025 20:48:52 +0200
Subject: [PATCH] fix(null) : improve error handlings when passing a null
pointer to some functions from lz4frame
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Upstream-Status: Backport [Upstream commit https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
CVE: CVE-2025-62813
Signed-off-by: David Nyström <david.nystrom@est.tech>
---
lib/lz4frame.c | 15 +++++++++++++--
tests/frametest.c | 9 ++++++---
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/lib/lz4frame.c b/lib/lz4frame.c
index 174f9ae4..cc6ed6f1 100644
--- a/lib/lz4frame.c
+++ b/lib/lz4frame.c
@@ -530,9 +530,16 @@ LZ4F_CDict*
LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
{
const char* dictStart = (const char*)dictBuffer;
- LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
+ LZ4F_CDict* cdict = NULL;
+
DEBUGLOG(4, "LZ4F_createCDict_advanced");
- if (!cdict) return NULL;
+
+ if (!dictStart)
+ return NULL;
+ cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
+ if (!cdict)
+ return NULL;
+
cdict->cmem = cmem;
if (dictSize > 64 KB) {
dictStart += dictSize - 64 KB;
@@ -1429,6 +1436,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
LZ4F_frameInfo_t* frameInfoPtr,
const void* srcBuffer, size_t* srcSizePtr)
{
+ assert(dctx != NULL);
+ RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
+ RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
+
LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
if (dctx->dStage > dstage_storeFrameHeader) {
/* frameInfo already decoded */
diff --git a/tests/frametest.c b/tests/frametest.c
index 33019551..523e35d1 100644
--- a/tests/frametest.c
+++ b/tests/frametest.c
@@ -589,10 +589,13 @@ int basicTests(U32 seed, double compressibility)
size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
size_t cSizeNoDict, cSizeWithDict;
- LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
- if (cdict == NULL) goto _output_error;
- CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
+ LZ4F_CDict* cdict = NULL;
+ CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
+ cdict = LZ4F_createCDict(CNBuffer, dictSize);
+ if (cdict == NULL)
+ goto _output_error;
+
DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
{ LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
if (cda == NULL) goto _output_error;

5
meta/recipes-support/lz4/lz4_1.9.4.bb
View File

@ -13,8 +13,9 @@ PE = "1"
SRCREV = "5ff839680134437dbf4678f3d0c7b371d84f4964"
SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
file://run-ptest \
"
file://run-ptest \
file://CVE-2025-62813.patch \
"
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
S = "${WORKDIR}/git"