Check input buffer size in zisofs
This uses the new deflateBound() thing to sanity-check the input to the zlib decompressor before we even bother to start reading in the blocks. Problem noted by Tim Yamin <plasmaroo@gentoo.org>
This commit is contained in:
parent
243393c90f
commit
fab5a60a29
1 changed files with 6 additions and 0 deletions
|
@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page)
|
||||||
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
|
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
|
||||||
brelse(bh);
|
brelse(bh);
|
||||||
|
|
||||||
|
if (cstart > cend)
|
||||||
|
goto eio;
|
||||||
|
|
||||||
csize = cend-cstart;
|
csize = cend-cstart;
|
||||||
|
|
||||||
|
if (csize > deflateBound(1UL << zisofs_block_shift))
|
||||||
|
goto eio;
|
||||||
|
|
||||||
/* Now page[] contains an array of pages, any of which can be NULL,
|
/* Now page[] contains an array of pages, any of which can be NULL,
|
||||||
and the locks on which we hold. We should now read the data and
|
and the locks on which we hold. We should now read the data and
|
||||||
release the pages. If the pages are NULL the decompressed data
|
release the pages. If the pages are NULL the decompressed data
|
||||||
|
|
Loading…
Reference in a new issue