diff options
| author | Linus Torvalds <torvalds@g5.osdl.org> | 2005-08-06 09:42:06 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-08-06 09:42:06 -0700 |
| commit | fab5a60a29f98f17256a4183e34a414f6db67569 (patch) | |
| tree | eff86901dda863299501c6e729a2d621f607314f | |
| parent | 243393c90f2b7cb781fd794e22786e9c8547901a (diff) | |
| download | linux-3.10-fab5a60a29f98f17256a4183e34a414f6db67569.tar.gz linux-3.10-fab5a60a29f98f17256a4183e34a414f6db67569.tar.bz2 linux-3.10-fab5a60a29f98f17256a4183e34a414f6db67569.zip | |
Check input buffer size in zisofs
This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.
Problem noted by Tim Yamin <plasmaroo@gentoo.org>
| -rw-r--r-- | fs/isofs/compress.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c index 34a44e45168..4917315db73 100644 --- a/fs/isofs/compress.c +++ b/fs/isofs/compress.c @@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page) cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); brelse(bh); + if (cstart > cend) + goto eio; + csize = cend-cstart; + if (csize > deflateBound(1UL << zisofs_block_shift)) + goto eio; + /* Now page[] contains an array of pages, any of which can be NULL, and the locks on which we hold. We should now read the data and release the pages. If the pages are NULL the decompressed data |