diff options
author | Linus Torvalds <torvalds@g5.osdl.org> | 2005-08-06 12:42:06 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-08-06 12:42:06 -0400 |
commit | fab5a60a29f98f17256a4183e34a414f6db67569 (patch) | |
tree | eff86901dda863299501c6e729a2d621f607314f /fs/isofs | |
parent | 243393c90f2b7cb781fd794e22786e9c8547901a (diff) |
Check input buffer size in zisofs
This uses the new deflateBound() thing to sanity-check the input to the
zlib decompressor before we even bother to start reading in the blocks.
Problem noted by Tim Yamin <plasmaroo@gentoo.org>
Diffstat (limited to 'fs/isofs')
-rw-r--r-- | fs/isofs/compress.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c index 34a44e45168..4917315db73 100644 --- a/fs/isofs/compress.c +++ b/fs/isofs/compress.c | |||
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page) | |||
129 | cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); | 129 | cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); |
130 | brelse(bh); | 130 | brelse(bh); |
131 | 131 | ||
132 | if (cstart > cend) | ||
133 | goto eio; | ||
134 | |||
132 | csize = cend-cstart; | 135 | csize = cend-cstart; |
133 | 136 | ||
137 | if (csize > deflateBound(1UL << zisofs_block_shift)) | ||
138 | goto eio; | ||
139 | |||
134 | /* Now page[] contains an array of pages, any of which can be NULL, | 140 | /* Now page[] contains an array of pages, any of which can be NULL, |
135 | and the locks on which we hold. We should now read the data and | 141 | and the locks on which we hold. We should now read the data and |
136 | release the pages. If the pages are NULL the decompressed data | 142 | release the pages. If the pages are NULL the decompressed data |