tree eff86901dda863299501c6e729a2d621f607314f
parent 243393c90f2b7cb781fd794e22786e9c8547901a
author Linus Torvalds <[EMAIL PROTECTED]> Sat, 06 Aug 2005 23:42:06 -0700
committer Linus Torvalds <[EMAIL PROTECTED]> Sat, 06 Aug 2005 23:42:06 -0700
Check input buffer size in zisofs
This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.
Problem noted by Tim Yamin <[EMAIL PROTECTED]>
fs/isofs/compress.c | 6 ++++++
1 files changed, 6 insertions(+)
diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c
--- a/fs/isofs/compress.c
+++ b/fs/isofs/compress.c
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
brelse(bh);
+ if (cstart > cend)
+ goto eio;
+
csize = cend-cstart;
+ if (csize > deflateBound(1UL << zisofs_block_shift))
+ goto eio;
+
/* Now page[] contains an array of pages, any of which can be NULL,
and the locks on which we hold. We should now read the data and
release the pages. If the pages are NULL the decompressed data
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
