On Sat, Feb 22, 2025 at 11:27:49PM +0900, Sergey Senozhatsky wrote: > > So I didn't look at all of them, but at least S/W lzo1 doesn't even > have a notion of max-output-len. lzo1x_1_compress() accepts a pointer > to out_len which tells the size of output stream (the algorithm is free > to produce any), so there is no dst_buf overflow as far as lzo1 is > concerned. Unless I'm missing something or misunderstanding your points. I just looked at deflate/zstd and they seem to be doing the right things. But yes lzo is a gaping security hole on the compression side. The API has always specified a maximum output length and it needs to be respected for both compression and decompression. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
