commit c239b2fc9c19d7c146888b534a8b51a88df03326 Author: Alexander Færøy ahf@0x90.dk Date: Wed Jun 28 09:57:58 2017 -0400
Fix crash in LZMA module when the Sandbox is enabled.
This patch fixes a crash in our LZMA module where liblzma will allocate slightly more data than it is allowed to by its limit, which leads to a crash.
See: https://bugs.torproject.org/22751 --- changes/bug22751 | 5 +++++ src/common/sandbox.c | 10 ++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/changes/bug22751 b/changes/bug22751 new file mode 100644 index 0000000..714525c --- /dev/null +++ b/changes/bug22751 @@ -0,0 +1,5 @@ + o Major bugfixes (compression): + - Fix crash in LZMA module, when the Sandbox is enabled, where + liblzma would allocate more than 16 MB of memory. We solve this + by bumping the mprotect() limit in the Sandbox module from 16 MB + to 20 MB. Fixes bug 22751; bugfix on 0.3.1.1-alpha. diff --git a/src/common/sandbox.c b/src/common/sandbox.c index aae0705..52caa4f 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -19,8 +19,14 @@ #define _LARGEFILE64_SOURCE #endif
-/** Malloc mprotect limit in bytes. */ -#define MALLOC_MP_LIM (16*1024*1024) +/** Malloc mprotect limit in bytes. + * + * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced + * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but + * liblzma have a small overhead that we need to compensate for to avoid being + * killed by the sandbox. + */ +#define MALLOC_MP_LIM (20*1024*1024)
#include <stdio.h> #include <string.h>