aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhillip Lougher <phillip@lougher.demon.co.uk>2010-08-05 04:51:50 +0100
committerPhillip Lougher <phillip@lougher.demon.co.uk>2010-08-05 04:51:50 +0100
commitf3065f60ddfd4b5e34a412851d91d0cf27cdbf7e (patch)
tree08d77b60ee6ffa601d230d4b978a3dad03d8bd7c
parent79cb8ced7eef53856b5a877db0544acf52e00c80 (diff)
downloadkernel_samsung_crespo-f3065f60ddfd4b5e34a412851d91d0cf27cdbf7e.zip
kernel_samsung_crespo-f3065f60ddfd4b5e34a412851d91d0cf27cdbf7e.tar.gz
kernel_samsung_crespo-f3065f60ddfd4b5e34a412851d91d0cf27cdbf7e.tar.bz2
Squashfs: fix block size use in LZO decompressor
Sizing the buffer using block size alone is incorrect leading to a potential buffer over-run on 4K block size file systems (because the metadata block size is always 8K). Srclength is set to the maximum expected size of the decompressed block and it is block_size or 8K depending on whether a data or metadata block is being decompressed. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
-rw-r--r--fs/squashfs/lzo_wrapper.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/fs/squashfs/lzo_wrapper.c b/fs/squashfs/lzo_wrapper.c
index e1f86de..5d87789 100644
--- a/fs/squashfs/lzo_wrapper.c
+++ b/fs/squashfs/lzo_wrapper.c
@@ -40,13 +40,15 @@ struct squashfs_lzo {
static void *lzo_init(struct squashfs_sb_info *msblk)
{
+ int block_size = max_t(int, msblk->block_size, SQUASHFS_METADATA_SIZE);
+
struct squashfs_lzo *stream = kzalloc(sizeof(*stream), GFP_KERNEL);
if (stream == NULL)
goto failed;
- stream->input = vmalloc(msblk->block_size);
+ stream->input = vmalloc(block_size);
if (stream->input == NULL)
goto failed;
- stream->output = vmalloc(msblk->block_size);
+ stream->output = vmalloc(block_size);
if (stream->output == NULL)
goto failed2;
@@ -80,7 +82,7 @@ static int lzo_uncompress(struct squashfs_sb_info *msblk, void **buffer,
struct squashfs_lzo *stream = msblk->stream;
void *buff = stream->input;
int avail, i, bytes = length, res;
- size_t out_len = msblk->block_size;
+ size_t out_len = srclength;
mutex_lock(&msblk->read_data_mutex);