Skip to content

Commit

Permalink
s2: Fix final emit oob read crash on amd64 (#601)
Browse files Browse the repository at this point in the history
When emitting the final literals we may not have enough input to safely read all without over-reading.

Set output margin to 0 for exact copies in this case.

Fixes #600
  • Loading branch information
klauspost authored May 25, 2022
1 parent 9d225a4 commit ab138a9
Show file tree
Hide file tree
Showing 2 changed files with 444 additions and 98 deletions.
37 changes: 24 additions & 13 deletions s2/_generate/gen.go
Original file line number Diff line number Diff line change
Expand Up @@ -727,19 +727,25 @@ func (o options) genEncodeBlockAsm(name string, tableBits, skipLog, hashBytes, m
RET()
Label("emit_remainder_ok_" + name)
}
// emitLiteral(dst[d:], src[nextEmitL:])
emitEnd := GP64()
MOVQ(lenSrcQ, emitEnd)

// Emit final literals.
o.emitLiteralsDstP(nextEmitL, emitEnd, src, dst, "emit_remainder_"+name)

// Assert size is < limit
assert(func(ok LabelRef) {
// if dstBaseQ < dstLimitPtrQ: ok
CMPQ(dst, dstLimitPtrQ)
JL(ok)
})
{
// emitLiteral(dst[d:], src[nextEmitL:])
emitEnd := GP64()
MOVQ(lenSrcQ, emitEnd)

// Emit final literals.
// Since we may be at the end of source,
// we cannot have output margin.
x := o.outputMargin
o.outputMargin = 0
o.emitLiteralsDstP(nextEmitL, emitEnd, src, dst, "emit_remainder_"+name)
o.outputMargin = x
// Assert size is < limit
assert(func(ok LabelRef) {
// if dstBaseQ < dstLimitPtrQ: ok
CMPQ(dst, dstLimitPtrQ)
JL(ok)
})
}

// length := start - base (ptr arithmetic)
length := GP64()
Expand Down Expand Up @@ -1437,7 +1443,12 @@ func (o options) genEncodeBetterBlockAsm(name string, lTableBits, skipLog, lHash
MOVQ(lenSrcQ, emitEnd)

// Emit final literals.
// Since we may be at the end of source,
// we cannot have output margin.
x := o.outputMargin
o.outputMargin = 0
o.emitLiteralsDstP(nextEmitL, emitEnd, src, dst, "emit_remainder_"+name)
o.outputMargin = x

// Assert size is < limit
assert(func(ok LabelRef) {
Expand Down
Loading

0 comments on commit ab138a9

Please sign in to comment.