diff options
author | Kota Tsuyuzaki <bloodeagle40234@gmail.com> | 2015-04-17 00:31:53 -0700 |
---|---|---|
committer | Kota Tsuyuzaki <bloodeagle40234@gmail.com> | 2015-07-15 17:17:03 -0700 |
commit | 453beb542b51e86cc802e372a63df8dc085bb387 (patch) | |
tree | 09ef406cc30b5b65d6ef1cc74f0b319255b4ed8b /Makefile.am | |
parent | f61e907d2bbc97160f2d265a7ec6a3ad82b4e6f5 (diff) | |
download | liberasurecode-453beb542b51e86cc802e372a63df8dc085bb387.tar.gz |
Fix decode realloc bitmap segfaultfix-realloc-bm
When using an instance with k + m parameter more than 32
(e.g. k=30, m=20), decoding process might free invalid fragments
memory passed from an upper application and it might cause double
free corruption on upper application layer. That is because some
of realloc_bm calculation like as follows might make invalid handling
to free memory.
e.g. (for reproducing):
- k=30, m=20
- available fragments 0, 1~49 (i.e. fragment 1 dropped) passed in.
and then after decoding...
- liberasurecode frees the realloc memory for fragment 1 *AND 33 (1 + 32)*!
When realloc_bm = 2 (i.e. wants to free only data[1]),
that if-condition results in as folows:
The result of (realloc_bm & 1 << i):
i = 0 -> 0
i = 1 -> 2
i = 2~32 -> 0
i = 33 -> 2 (overflowing!!!)
This overflowing makes liberasurecode to free the memory for fragment
33, though the memory must not be freed.
To prevent this corruption, this patch makes the base integer
as 64bit and liberasurecode to raise an Exception when k + m > 64
at initialization. (i.e. we cannot use more than 64 fragments with
current realloc_bm because it is an instance based on int64)
Diffstat (limited to 'Makefile.am')
0 files changed, 0 insertions, 0 deletions