aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@g5.osdl.org>2005-08-06 12:42:06 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-08-06 12:42:06 -0400
commitfab5a60a29f98f17256a4183e34a414f6db67569 (patch)
treeeff86901dda863299501c6e729a2d621f607314f
parent243393c90f2b7cb781fd794e22786e9c8547901a (diff)
Check input buffer size in zisofs
This uses the new deflateBound() thing to sanity-check the input to the zlib decompressor before we even bother to start reading in the blocks. Problem noted by Tim Yamin <plasmaroo@gentoo.org>
-rw-r--r--fs/isofs/compress.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/isofs/compress.c b/fs/isofs/compress.c
index 34a44e451689..4917315db732 100644
--- a/fs/isofs/compress.c
+++ b/fs/isofs/compress.c
@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page)
129 cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); 129 cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
130 brelse(bh); 130 brelse(bh);
131 131
132 if (cstart > cend)
133 goto eio;
134
132 csize = cend-cstart; 135 csize = cend-cstart;
133 136
137 if (csize > deflateBound(1UL << zisofs_block_shift))
138 goto eio;
139
134 /* Now page[] contains an array of pages, any of which can be NULL, 140 /* Now page[] contains an array of pages, any of which can be NULL,
135 and the locks on which we hold. We should now read the data and 141 and the locks on which we hold. We should now read the data and
136 release the pages. If the pages are NULL the decompressed data 142 release the pages. If the pages are NULL the decompressed data