summaryrefslogtreecommitdiff
path: root/app/lzo/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'app/lzo/NEWS')
-rw-r--r--app/lzo/NEWS16
1 files changed, 16 insertions, 0 deletions
diff --git a/app/lzo/NEWS b/app/lzo/NEWS
index 15eedeff..103c4d87 100644
--- a/app/lzo/NEWS
+++ b/app/lzo/NEWS
@@ -2,6 +2,22 @@
User visible changes for LZO -- a real-time data compression library
============================================================================
+Changes in 2.07 (25 Jun 2014)
+ * Fixed a potential integer overflow condition in the "safe" decompressor
+ variants which could result in a possible buffer overrun when
+ processing maliciously crafted compressed input data.
+
+ As this issue only affects 32-bit systems and also can only happen if
+ you use uncommonly huge buffer sizes where you have to decompress more
+ than 16 MiB (2^24 bytes) compressed bytes within a single function call,
+ the practical implications are limited.
+
+ POTENTIAL SECURITY ISSUE.
+
+ * Removed support for ancient configurations like 16-bit "huge" pointers -
+ LZO now requires a flat 32-bit or 64-bit memory model.
+ * Assorted cleanups.
+
Changes in 2.06 (12 Aug 2011)
* Some minor optimizations for big-endian architectures.
* Fixed overly strict malloc() misalignment check in examples.