aboutsummaryrefslogtreecommitdiffstats
path: root/fs/isofs
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@g5.osdl.org>2005-08-06 09:42:06 -0700
committerLinus Torvalds <torvalds@g5.osdl.org>2005-08-06 09:42:06 -0700
commitfab5a60a29f98f17256a4183e34a414f6db67569 (patch)
treeeff86901dda863299501c6e729a2d621f607314f /fs/isofs
parent243393c90f2b7cb781fd794e22786e9c8547901a (diff)
downloadkernel_samsung_espresso10-fab5a60a29f98f17256a4183e34a414f6db67569.zip
kernel_samsung_espresso10-fab5a60a29f98f17256a4183e34a414f6db67569.tar.gz
kernel_samsung_espresso10-fab5a60a29f98f17256a4183e34a414f6db67569.tar.bz2
Check input buffer size in zisofs
This uses the new deflateBound() thing to sanity-check the input to the zlib decompressor before we even bother to start reading in the blocks. Problem noted by Tim Yamin <plasmaroo@gentoo.org>
Diffstat (limited to 'fs/isofs')
-rw-r--r--fs/isofs/compress.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c
index 34a44e4..4917315 100644
--- a/fs/isofs/compress.c
+++ b/fs/isofs/compress.c
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page)
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
brelse(bh);
+ if (cstart > cend)
+ goto eio;
+
csize = cend-cstart;
+ if (csize > deflateBound(1UL << zisofs_block_shift))
+ goto eio;
+
/* Now page[] contains an array of pages, any of which can be NULL,
and the locks on which we hold. We should now read the data and
release the pages. If the pages are NULL the decompressed data