diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-06-20 22:01:41 -0700 |
|---|---|---|
| committer | Andreas Blaesius <skate4life@gmx.de> | 2016-06-05 21:21:51 +0200 |
| commit | 716829ccad945bb24d3b9e6d884518b6f0abf363 (patch) | |
| tree | 41084a65f9fdb08f2418bb3b3ccb76fed00212c3 /lib | |
| parent | 492313a0c54a91633b71b00d5db63054e0de9444 (diff) | |
| download | kernel_samsung_espresso10-716829ccad945bb24d3b9e6d884518b6f0abf363.zip kernel_samsung_espresso10-716829ccad945bb24d3b9e6d884518b6f0abf363.tar.gz kernel_samsung_espresso10-716829ccad945bb24d3b9e6d884518b6f0abf363.tar.bz2 | |
lz4: ensure length does not wrap
Given some pathologically compressed data, lz4 could possibly decide to
wrap a few internal variables, causing unknown things to happen. Catch
this before the wrapping happens and abort the decompression.
Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/lz4/lz4_decompress.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c index df6839e..99a03ac 100644 --- a/lib/lz4/lz4_decompress.c +++ b/lib/lz4/lz4_decompress.c @@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize) len = *ip++; for (; len == 255; length += 255) len = *ip++; + if (unlikely(length > (size_t)(length + len))) + goto _output_error; length += len; } |