Skip to content
Snippets Groups Projects
Commit fab5a60a authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Check input buffer size in zisofs 

This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.

Problem noted by Tim Yamin <plasmaroo@gentoo.org>
parent 243393c9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 6 additions and 0 deletions
fs/isofs/compress.c
+ 6
0
View file @ fab5a60a
...@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page) ...@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page)
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
brelse(bh); brelse(bh);
if (cstart > cend)
goto eio;
csize = cend-cstart; csize = cend-cstart;
if (csize > deflateBound(1UL << zisofs_block_shift))
goto eio;
/* Now page[] contains an array of pages, any of which can be NULL, /* Now page[] contains an array of pages, any of which can be NULL,
and the locks on which we hold. We should now read the data and and the locks on which we hold. We should now read the data and
release the pages. If the pages are NULL the decompressed data release the pages. If the pages are NULL the decompressed data
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment