From fab5a60a29f98f17256a4183e34a414f6db67569 Mon Sep 17 00:00:00 2001 From: Linus Torvalds <torvalds@g5.osdl.org> Date: Sat, 6 Aug 2005 09:42:06 -0700 Subject: Check input buffer size in zisofs This uses the new deflateBound() thing to sanity-check the input to the zlib decompressor before we even bother to start reading in the blocks. Problem noted by Tim Yamin <plasmaroo@gentoo.org> --- fs/isofs/compress.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'fs/isofs/compress.c') diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c index 34a44e451689..4917315db732 100644 --- a/fs/isofs/compress.c +++ b/fs/isofs/compress.c @@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page) cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); brelse(bh); + if (cstart > cend) + goto eio; + csize = cend-cstart; + if (csize > deflateBound(1UL << zisofs_block_shift)) + goto eio; + /* Now page[] contains an array of pages, any of which can be NULL, and the locks on which we hold. We should now read the data and release the pages. If the pages are NULL the decompressed data -- cgit v1.2.3