Commit 4148c1f6 authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman

lz4: fix another possible overrun

There is one other possible overrun in the lz4 code as implemented by
Linux at this point in time (which differs from the upstream lz4
codebase, but will get synced at in a future kernel release.)  As
pointed out by Don, we also need to check the overflow in the data
itself.

While we are at it, replace the odd error return value with just a
"simple" -1 value as the return value is never used for anything other
than a basic "did this work or not" check.
Reported-by: default avatar"Don A. Bailey" <donb@securitymouse.com>
Reported-by: default avatarWilly Tarreau <w@1wt.eu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 206204a1
...@@ -108,6 +108,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize) ...@@ -108,6 +108,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
if (length == ML_MASK) { if (length == ML_MASK) {
for (; *ip == 255; length += 255) for (; *ip == 255; length += 255)
ip++; ip++;
if (unlikely(length > (size_t)(length + *ip)))
goto _output_error;
length += *ip++; length += *ip++;
} }
...@@ -157,7 +159,7 @@ static int lz4_uncompress(const char *source, char *dest, int osize) ...@@ -157,7 +159,7 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
/* write overflow error detected */ /* write overflow error detected */
_output_error: _output_error:
return (int) (-(((char *)ip) - source)); return -1;
} }
static int lz4_uncompress_unknownoutputsize(const char *source, char *dest, static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment