diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-06-21 07:01:41 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-06-23 20:12:01 +0200 |
commit | 206204a1162b995e2185275167b22468c00d6b36 (patch) | |
tree | f09cf353e088f94a0b18b39528e486d350d18919 /lib | |
parent | lzo: properly check for overruns (diff) | |
download | linux-206204a1162b995e2185275167b22468c00d6b36.tar.xz linux-206204a1162b995e2185275167b22468c00d6b36.zip |
lz4: ensure length does not wrap
Given some pathologically compressed data, lz4 could possibly decide to
wrap a few internal variables, causing unknown things to happen. Catch
this before the wrapping happens and abort the decompression.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/lz4/lz4_decompress.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c index df6839e3ce08..99a03acb7d47 100644 --- a/lib/lz4/lz4_decompress.c +++ b/lib/lz4/lz4_decompress.c @@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize) len = *ip++; for (; len == 255; length += 255) len = *ip++; + if (unlikely(length > (size_t)(length + len))) + goto _output_error; length += len; } |