From 58d0718061c87e3d647c891ec5281b93c08dba4e Mon Sep 17 00:00:00 2001
From: Dan McDonald <danmcd@omniti.com>
Date: Mon, 23 Jun 2014 22:25:02 -0400
Subject: [PATCH] 4936 lz4 could theoretically overflow a pointer with a
 certain input Reviewed by: Saso Kiselkov <skiselkov.ml@gmail.com> Reviewed
 by: Keith Wesolowski <keith.wesolowski@joyent.com> Approved by: Gordon Ross
 <gordon.ross@nexenta.com>

---
 usr/src/grub/grub-0.97/stage2/zfs_lz4.c | 3 +++
 usr/src/uts/common/fs/zfs/lz4.c         | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/usr/src/grub/grub-0.97/stage2/zfs_lz4.c b/usr/src/grub/grub-0.97/stage2/zfs_lz4.c
index 42c03f9135d3..6d94111538d8 100644
--- a/usr/src/grub/grub-0.97/stage2/zfs_lz4.c
+++ b/usr/src/grub/grub-0.97/stage2/zfs_lz4.c
@@ -214,6 +214,9 @@ LZ4_uncompress_unknownOutputSize(const char *source,
 		}
 		/* copy literals */
 		cpy = op + length;
+		/* CORNER-CASE: cpy might overflow. */
+		if (cpy < op)
+			goto _output_error;	/* cpy was overflowed, bail! */
 		if ((cpy > oend - COPYLENGTH) ||
 		    (ip + length > iend - COPYLENGTH)) {
 			if (cpy > oend)
diff --git a/usr/src/uts/common/fs/zfs/lz4.c b/usr/src/uts/common/fs/zfs/lz4.c
index 40cb0711e08f..656360a6f2e0 100644
--- a/usr/src/uts/common/fs/zfs/lz4.c
+++ b/usr/src/uts/common/fs/zfs/lz4.c
@@ -960,6 +960,9 @@ real_LZ4_uncompress(const char *source, char *dest, int osize)
 		}
 		/* copy literals */
 		cpy = op + length;
+		/* CORNER-CASE: cpy might overflow. */
+		if (cpy < op)
+			goto _output_error;	/* cpy was overflowed, bail! */
 		if unlikely(cpy > oend - COPYLENGTH) {
 			if (cpy != oend)
 				/* Error: we must necessarily stand at EOF */
@@ -1075,6 +1078,9 @@ LZ4_uncompress_unknownOutputSize(const char *source, char *dest, int isize,
 		}
 		/* copy literals */
 		cpy = op + length;
+		/* CORNER-CASE: cpy might overflow. */
+		if (cpy < op)
+			goto _output_error;	/* cpy was overflowed, bail! */
 		if ((cpy > oend - COPYLENGTH) ||
 		    (ip + length > iend - COPYLENGTH)) {
 			if (cpy > oend)