summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLasse Collin <lasse.collin@tukaani.org>2011-01-13 02:01:17 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>2011-01-13 17:03:24 +0100
commit278208d9d631524d04152574f87b9b88919ce663 (patch)
treeee50d75ba3589c76b45525a8b0c30eb85d6634a7
parentDecompressors: fix header validation in decompress_unlzma.c (diff)
downloadlinux-278208d9d631524d04152574f87b9b88919ce663.tar.xz
linux-278208d9d631524d04152574f87b9b88919ce663.zip
Decompressors: check for read errors in decompress_unlzma.c
Return value of rc->fill() is checked in rc_read() and error() is called when needed, but then the code continues as if nothing had happened. rc_read() is a void function and it's on the top of performance critical call stacks, so propagating the error code via return values doesn't sound like the best fix. It seems better to check rc->buffer_size (which holds the return value of rc->fill()) in the main loop. It does nothing bad that the code runs a little with unknown data after a failed rc->fill(). This fixes an infinite loop in initramfs decompression if the LZMA-compressed initramfs image is corrupt. Signed-off-by: Lasse Collin <lasse.collin@tukaani.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Alain Knaff <alain@knaff.lu> Cc: Albin Tonnerre <albin.tonnerre@free-electrons.com> Cc: Phillip Lougher <phillip@lougher.demon.co.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--lib/decompress_unlzma.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/decompress_unlzma.c b/lib/decompress_unlzma.c
index 696c34a274cf..4281aa9cb76c 100644
--- a/lib/decompress_unlzma.c
+++ b/lib/decompress_unlzma.c
@@ -631,6 +631,8 @@ STATIC inline int INIT unlzma(unsigned char *buf, int in_len,
if (cst.rep0 == 0)
break;
}
+ if (rc.buffer_size <= 0)
+ goto exit_3;
}
if (posp)
@@ -638,6 +640,7 @@ STATIC inline int INIT unlzma(unsigned char *buf, int in_len,
if (wr.flush)
wr.flush(wr.buffer, wr.buffer_pos);
ret = 0;
+exit_3:
large_free(p);
exit_2:
if (!output)