Fix crash in LZMA module when the Sandbox is enabled.

This patch fixes a crash in our LZMA module where liblzma will allocate slightly more data than it is allowed to by its limit, which leads to a crash. See: https://bugs.torproject.org/22751
2024-11-19 18:00:33 +01:00 · 2017-06-28 09:57:58 -04:00 · 2017-06-28 09:57:58 -04:00 · c239b2fc9c
commit c239b2fc9c
parent 2cd49d9ea6
2 changed files with 13 additions and 2 deletions
--- a/changes/bug22751
+++ b/changes/bug22751
@ -0,0 +1,5 @@
+  o Major bugfixes (compression):
+    - Fix crash in LZMA module, when the Sandbox is enabled, where
+      liblzma would allocate more than 16 MB of memory.  We solve this
+      by bumping the mprotect() limit in the Sandbox module from 16 MB
+      to 20 MB.  Fixes bug 22751; bugfix on 0.3.1.1-alpha.
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@ -19,8 +19,14 @@
 #define _LARGEFILE64_SOURCE
 #endif

-/** Malloc mprotect limit in bytes. */
-#define MALLOC_MP_LIM (16*1024*1024)
+/** Malloc mprotect limit in bytes.
+ *
+ * 28/06/2017: This value was increased from 16 MB to 20 MB after we introduced
+ * LZMA support in Tor (0.3.1.1-alpha). We limit our LZMA coder to 16 MB, but
+ * liblzma have a small overhead that we need to compensate for to avoid being
+ * killed by the sandbox.
+ */
+#define MALLOC_MP_LIM (20*1024*1024)

 #include <stdio.h>
 #include <string.h>