mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2024-12-29 17:22:07 +00:00
lzma/gzip: fix potential oops when input data is truncated
If the lzma/gzip decompressors are called with insufficient input data (len > 0 & fill = NULL), they will attempt to call the fill function to obtain more data, leading to a kernel oops. Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
3354f73b24
commit
6a8811629e
@ -27,6 +27,11 @@
|
||||
|
||||
#define GZIP_IOBUF_SIZE (16*1024)
|
||||
|
||||
static int nofill(void *buffer, unsigned int len)
|
||||
{
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Included from initramfs et al code */
|
||||
STATIC int INIT gunzip(unsigned char *buf, int len,
|
||||
int(*fill)(void*, unsigned int),
|
||||
@ -76,6 +81,9 @@ STATIC int INIT gunzip(unsigned char *buf, int len,
|
||||
goto gunzip_nomem4;
|
||||
}
|
||||
|
||||
if (!fill)
|
||||
fill = nofill;
|
||||
|
||||
if (len == 0)
|
||||
len = fill(zbuf, GZIP_IOBUF_SIZE);
|
||||
|
||||
|
@ -82,6 +82,11 @@ struct rc {
|
||||
#define RC_MODEL_TOTAL_BITS 11
|
||||
|
||||
|
||||
static int nofill(void *buffer, unsigned int len)
|
||||
{
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Called twice: once at startup and once in rc_normalize() */
|
||||
static void INIT rc_read(struct rc *rc)
|
||||
{
|
||||
@ -97,7 +102,10 @@ static inline void INIT rc_init(struct rc *rc,
|
||||
int (*fill)(void*, unsigned int),
|
||||
char *buffer, int buffer_size)
|
||||
{
|
||||
rc->fill = fill;
|
||||
if (fill)
|
||||
rc->fill = fill;
|
||||
else
|
||||
rc->fill = nofill;
|
||||
rc->buffer = (uint8_t *)buffer;
|
||||
rc->buffer_size = buffer_size;
|
||||
rc->buffer_end = rc->buffer + rc->buffer_size;
|
||||
|
Loading…
Reference in New Issue
Block a user