aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>2014-06-24 16:59:01 -0400
committerSimon Shields <keepcalm444@gmail.com>2016-06-12 21:20:12 +1000
commit4d43c9b5489f01cef6419af1935d97bd5b520c26 (patch)
tree59b91cfca5ae6e3a1366db8f951887fc95611597
parent69a113aae3d8c2753f68d0b64f0219d9cc6e493f (diff)
downloadkernel_samsung_smdk4412-4d43c9b5489f01cef6419af1935d97bd5b520c26.zip
kernel_samsung_smdk4412-4d43c9b5489f01cef6419af1935d97bd5b520c26.tar.gz
kernel_samsung_smdk4412-4d43c9b5489f01cef6419af1935d97bd5b520c26.tar.bz2
lz4: fix another possible overrun
There is one other possible overrun in the lz4 code as implemented by Linux at this point in time (which differs from the upstream lz4 codebase, but will get synced at in a future kernel release.) As pointed out by Don, we also need to check the overflow in the data itself. While we are at it, replace the odd error return value with just a "simple" -1 value as the return value is never used for anything other than a basic "did this work or not" check. Reported-by: "Don A. Bailey" <donb@securitymouse.com> Reported-by: Willy Tarreau <w@1wt.eu> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--lib/lz4/lz4_decompress.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 99a03ac..b74da44 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -108,6 +108,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
if (length == ML_MASK) {
for (; *ip == 255; length += 255)
ip++;
+ if (unlikely(length > (size_t)(length + *ip)))
+ goto _output_error;
length += *ip++;
}
@@ -157,7 +159,7 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
/* write overflow error detected */
_output_error:
- return (int) (-(((char *)ip) - source));
+ return -1;
}
static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,