Message266983
Klamann, thanks for crash report. I think your decompress crash is explained by the bug expanding past UINT_MAX I identified above. The key is that length = 0 in zlib_Decompress_decompress_impl(), as if wrapped around, and the return value will have been resized to zero. My suggested fix step 7 would address this.
The workaround here would either be to pass compressed data in smaller chunks (4 MB or less), so that no chunk can expand to 4 GiB, or to make use of the max_length parameter. Either way, it will make any code more complicated though.
If anyone wants to write a patch (or do testing) to solve any or all of the problems, I am happy to help. But it is not a high priority for me to do all the work, because I am not set up to test it easily. |
|
Date |
User |
Action |
Args |
2016-06-02 23:07:46 | martin.panter | set | recipients:
+ martin.panter, nadeem.vawda, xiang.zhang, Klamann |
2016-06-02 23:07:46 | martin.panter | set | messageid: <1464908866.54.0.308761645313.issue27130@psf.upfronthosting.co.za> |
2016-06-02 23:07:46 | martin.panter | link | issue27130 messages |
2016-06-02 23:07:46 | martin.panter | create | |
|