summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@osdl.org>2005-08-06 11:33:11 -0700
committerChris Wright <chrisw@osdl.org>2005-08-14 17:20:09 -0700
commit49f8907fb9de31d3a0a099fef0f42ccdcdc9c7e7 (patch)
tree8e98567f28ce0d153ed8b6e0dc33d7ebce523f0d
parent885605316d76c3fdce23dffe9c59e20539287c6b (diff)
downloadlinux-stable-49f8907fb9de31d3a0a099fef0f42ccdcdc9c7e7.tar.gz
linux-stable-49f8907fb9de31d3a0a099fef0f42ccdcdc9c7e7.tar.bz2
linux-stable-49f8907fb9de31d3a0a099fef0f42ccdcdc9c7e7.zip
[PATCH] Check input buffer size in zisofs
Add fakey 'deflateBound()' function to the in-kernel zlib routines It's not the real deflateBound() in newer zlib libraries, partly because the upcoming usage of it won't have the "stream" available, so we can't have the same interfaces anyway. This uses the new deflateBound() thing to sanity-check the input to the zlib decompressor before we even bother to start reading in the blocks. Problem noted by Tim Yamin <plasmaroo@gentoo.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: H. Peter Anvin <hpa@zytor.com>
-rw-r--r--fs/isofs/compress.c6
-rw-r--r--include/linux/zlib.h5
2 files changed, 11 insertions, 0 deletions
diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c
index 34a44e451689..4917315db732 100644
--- a/fs/isofs/compress.c
+++ b/fs/isofs/compress.c
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page)
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
brelse(bh);
+ if (cstart > cend)
+ goto eio;
+
csize = cend-cstart;
+ if (csize > deflateBound(1UL << zisofs_block_shift))
+ goto eio;
+
/* Now page[] contains an array of pages, any of which can be NULL,
and the locks on which we hold. We should now read the data and
release the pages. If the pages are NULL the decompressed data
diff --git a/include/linux/zlib.h b/include/linux/zlib.h
index 850076ea14d3..74f7b78c22d2 100644
--- a/include/linux/zlib.h
+++ b/include/linux/zlib.h
@@ -506,6 +506,11 @@ extern int zlib_deflateReset (z_streamp strm);
stream state was inconsistent (such as zalloc or state being NULL).
*/
+static inline unsigned long deflateBound(unsigned long s)
+{
+ return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
+}
+
extern int zlib_deflateParams (z_streamp strm, int level, int strategy);
/*
Dynamically update the compression level and compression strategy. The