aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>2014-06-20 22:01:41 -0700
committerAndreas Blaesius <skate4life@gmx.de>2016-06-05 21:21:51 +0200
commit716829ccad945bb24d3b9e6d884518b6f0abf363 (patch)
tree41084a65f9fdb08f2418bb3b3ccb76fed00212c3 /lib
parent492313a0c54a91633b71b00d5db63054e0de9444 (diff)
downloadkernel_samsung_espresso10-716829ccad945bb24d3b9e6d884518b6f0abf363.zip
kernel_samsung_espresso10-716829ccad945bb24d3b9e6d884518b6f0abf363.tar.gz
kernel_samsung_espresso10-716829ccad945bb24d3b9e6d884518b6f0abf363.tar.bz2
lz4: ensure length does not wrap
Given some pathologically compressed data, lz4 could possibly decide to wrap a few internal variables, causing unknown things to happen. Catch this before the wrapping happens and abort the decompression. Reported-by: "Don A. Bailey" <donb@securitymouse.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib')
-rw-r--r--lib/lz4/lz4_decompress.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index df6839e..99a03ac 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
len = *ip++;
for (; len == 255; length += 255)
len = *ip++;
+ if (unlikely(length > (size_t)(length + len)))
+ goto _output_error;
length += len;
}