Merge tag 'compress-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull compress bugfixes from Greg KH: "Here are two bugfixes for some compression functions that resolve some errors when uncompressing some pathalogical data. Both were found by Don A Bailey" * tag 'compress-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: lz4: ensure length does not wrap lzo: properly check for overruns
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-06-23 20:05:28 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-06-23 20:05:28 -0400
commit: 8b8f5d9715845f9ae2b89ce406e71877965b29ca (patch)
tree: 2d8052aaec3138e5871ad675cf15370fbf27f1ac
parent: 04b5da4a14eef2ed1b92fd762be80fa1ba7a6461 (diff)
parent: 206204a1162b995e2185275167b22468c00d6b36 (diff)
2 files changed, 43 insertions, 21 deletions
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index df6839e3ce08..99a03acb7d47 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
                        len = *ip++;
                        for (; len == 255; length += 255)
                                len = *ip++;
+                        if (unlikely(length > (size_t)(length + len)))
+                                goto _output_error;
                        length += len;
                }
diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c
index 569985d522d5..8563081e8da3 100644
--- a/lib/lzo/lzo1x_decompress_safe.c
+++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,11 +19,31 @@
 #include <linux/lzo.h>
 #include "lzodefs.h"
-#define HAVE_IP(x)      ((size_t)(ip_end - ip) >= (size_t)(x))
+#define HAVE_IP(t, x)                                   \
-#define HAVE_OP(x)      ((size_t)(op_end - op) >= (size_t)(x))
+        (((size_t)(ip_end - ip) >= (size_t)(t + x)) &&  \
-#define NEED_IP(x)      if (!HAVE_IP(x)) goto input_overrun
+         (((t + x) >= t) && ((t + x) >= x)))
-#define NEED_OP(x)      if (!HAVE_OP(x)) goto output_overrun
-#define TEST_LB(m_pos)  if ((m_pos) < out) goto lookbehind_overrun
+#define HAVE_OP(t, x)                                   \
+        (((size_t)(op_end - op) >= (size_t)(t + x)) &&  \
+         (((t + x) >= t) && ((t + x) >= x)))
+#define NEED_IP(t, x)                                   \
+        do {                                            \
+                if (!HAVE_IP(t, x))                     \
+                        goto input_overrun;             \
+        } while (0)
+#define NEED_OP(t, x)                                   \
+        do {                                            \
+                if (!HAVE_OP(t, x))                     \
+                        goto output_overrun;            \
+        } while (0)
+#define TEST_LB(m_pos)                                  \
+        do {                                            \
+                if ((m_pos) < out)                      \
+                        goto lookbehind_overrun;        \
+        } while (0)
 int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
                          unsigned char *out, size_t *out_len)
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
                                        while (unlikely(*ip == 0)) {
                                                t += 255;
                                                ip++;
-                                                NEED_IP(1);
+                                                NEED_IP(1, 0);
                                        }
                                        t += 15 + *ip++;
                                }
                                t += 3;
 copy_literal_run:
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-                                if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
+                                if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
                                        const unsigned char *ie = ip + t;
                                        unsigned char *oe = op + t;
                                        do {
@@ -81,8 +101,8 @@ copy_literal_run:
                                } else
 #endif
                                {
-                                        NEED_OP(t);
+                                        NEED_OP(t, 0);
-                                        NEED_IP(t + 3);
+                                        NEED_IP(t, 3);
                                        do {
                                                *op++ = *ip++;
                                        } while (--t > 0);
@@ -95,7 +115,7 @@ copy_literal_run:
                                m_pos -= t >> 2;
                                m_pos -= *ip++ << 2;
                                TEST_LB(m_pos);
-                                NEED_OP(2);
+                                NEED_OP(2, 0);
                                op[0] = m_pos[0];
                                op[1] = m_pos[1];
                                op += 2;
@@ -119,10 +139,10 @@ copy_literal_run:
                                while (unlikely(*ip == 0)) {
                                        t += 255;
                                        ip++;
-                                        NEED_IP(1);
+                                        NEED_IP(1, 0);
                                }
                                t += 31 + *ip++;
-                                NEED_IP(2);
+                                NEED_IP(2, 0);
                        }
                        m_pos = op - 1;
                        next = get_unaligned_le16(ip);
@@ -137,10 +157,10 @@ copy_literal_run:
                                while (unlikely(*ip == 0)) {
                                        t += 255;
                                        ip++;
-                                        NEED_IP(1);
+                                        NEED_IP(1, 0);
                                }
                                t += 7 + *ip++;
-                                NEED_IP(2);
+                                NEED_IP(2, 0);
                        }
                        next = get_unaligned_le16(ip);
                        ip += 2;
@@ -154,7 +174,7 @@ copy_literal_run:
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
                if (op - m_pos >= 8) {
                        unsigned char *oe = op + t;
-                        if (likely(HAVE_OP(t + 15))) {
+                        if (likely(HAVE_OP(t, 15))) {
                                do {
                                        COPY8(op, m_pos);
                                        op += 8;
@@ -164,7 +184,7 @@ copy_literal_run:
                                        m_pos += 8;
                                } while (op < oe);
                                op = oe;
-                                if (HAVE_IP(6)) {
+                                if (HAVE_IP(6, 0)) {
                                        state = next;
                                        COPY4(op, ip);
                                        op += next;
@@ -172,7 +192,7 @@ copy_literal_run:
                                        continue;
                                }
                        } else {
-                                NEED_OP(t);
+                                NEED_OP(t, 0);
                                do {
                                        *op++ = *m_pos++;
                                } while (op < oe);
@@ -181,7 +201,7 @@ copy_literal_run:
 #endif
                {
                        unsigned char *oe = op + t;
-                        NEED_OP(t);
+                        NEED_OP(t, 0);
                        op[0] = m_pos[0];
                        op[1] = m_pos[1];
                        op += 2;
@@ -194,15 +214,15 @@ match_next:
                state = next;
                t = next;
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-                if (likely(HAVE_IP(6) && HAVE_OP(4))) {
+                if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
                        COPY4(op, ip);
                        op += t;
                        ip += t;
                } else
 #endif
                {
-                        NEED_IP(t + 3);
+                        NEED_IP(t, 3);
-                        NEED_OP(t);
+                        NEED_OP(t, 0);
                        while (t > 0) {
                                *op++ = *ip++;
                                t--;
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-06-23 20:05:28 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-06-23 20:05:28 -0400
commit	8b8f5d9715845f9ae2b89ce406e71877965b29ca (patch)
tree	2d8052aaec3138e5871ad675cf15370fbf27f1ac
parent	04b5da4a14eef2ed1b92fd762be80fa1ba7a6461 (diff)
parent	206204a1162b995e2185275167b22468c00d6b36 (diff)

diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c index df6839e3ce08..99a03acb7d47 100644 --- a/lib/lz4/lz4_decompress.c +++ b/lib/lz4/lz4_decompress.c
@@ -72,6 +72,8 @@ static int lz4_uncompress(const char source, char dest, int osize)
72	len = *ip++;	72	len = *ip++;
73	for (; len == 255; length += 255)	73	for (; len == 255; length += 255)
74	len = *ip++;	74	len = *ip++;
		75	if (unlikely(length > (size_t)(length + len)))
		76	goto _output_error;
75	length += len;	77	length += len;
76	}	78	}
77		79


diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c index 569985d522d5..8563081e8da3 100644 --- a/lib/lzo/lzo1x_decompress_safe.c +++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,11 +19,31 @@
19	#include <linux/lzo.h>	19	#include <linux/lzo.h>
20	#include "lzodefs.h"	20	#include "lzodefs.h"
21		21
22	#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x))	22	#define HAVE_IP(t, x) \
23	#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x))	23	(((size_t)(ip_end - ip) >= (size_t)(t + x)) && \
24	#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun	24	(((t + x) >= t) && ((t + x) >= x)))
25	#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun	25
26	#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun	26	#define HAVE_OP(t, x) \
		27	(((size_t)(op_end - op) >= (size_t)(t + x)) && \
		28	(((t + x) >= t) && ((t + x) >= x)))
		29
		30	#define NEED_IP(t, x) \
		31	do { \
		32	if (!HAVE_IP(t, x)) \
		33	goto input_overrun; \
		34	} while (0)
		35
		36	#define NEED_OP(t, x) \
		37	do { \
		38	if (!HAVE_OP(t, x)) \
		39	goto output_overrun; \
		40	} while (0)
		41
		42	#define TEST_LB(m_pos) \
		43	do { \
		44	if ((m_pos) < out) \
		45	goto lookbehind_overrun; \
		46	} while (0)
27		47
28	int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,	48	int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
29	unsigned char out, size_t out_len)	49	unsigned char out, size_t out_len)
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
58	while (unlikely(*ip == 0)) {	78	while (unlikely(*ip == 0)) {
59	t += 255;	79	t += 255;
60	ip++;	80	ip++;
61	NEED_IP(1);	81	NEED_IP(1, 0);
62	}	82	}
63	t += 15 + *ip++;	83	t += 15 + *ip++;
64	}	84	}
65	t += 3;	85	t += 3;
66	copy_literal_run:	86	copy_literal_run:
67	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)	87	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
68	if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {	88	if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
69	const unsigned char *ie = ip + t;	89	const unsigned char *ie = ip + t;
70	unsigned char *oe = op + t;	90	unsigned char *oe = op + t;
71	do {	91	do {
@@ -81,8 +101,8 @@ copy_literal_run:
81	} else	101	} else
82	#endif	102	#endif
83	{	103	{
84	NEED_OP(t);	104	NEED_OP(t, 0);
85	NEED_IP(t + 3);	105	NEED_IP(t, 3);
86	do {	106	do {
87	op++ = ip++;	107	op++ = ip++;
88	} while (--t > 0);	108	} while (--t > 0);
@@ -95,7 +115,7 @@ copy_literal_run:
95	m_pos -= t >> 2;	115	m_pos -= t >> 2;
96	m_pos -= *ip++ << 2;	116	m_pos -= *ip++ << 2;
97	TEST_LB(m_pos);	117	TEST_LB(m_pos);
98	NEED_OP(2);	118	NEED_OP(2, 0);
99	op[0] = m_pos[0];	119	op[0] = m_pos[0];
100	op[1] = m_pos[1];	120	op[1] = m_pos[1];
101	op += 2;	121	op += 2;
@@ -119,10 +139,10 @@ copy_literal_run:
119	while (unlikely(*ip == 0)) {	139	while (unlikely(*ip == 0)) {
120	t += 255;	140	t += 255;
121	ip++;	141	ip++;
122	NEED_IP(1);	142	NEED_IP(1, 0);
123	}	143	}
124	t += 31 + *ip++;	144	t += 31 + *ip++;
125	NEED_IP(2);	145	NEED_IP(2, 0);
126	}	146	}
127	m_pos = op - 1;	147	m_pos = op - 1;
128	next = get_unaligned_le16(ip);	148	next = get_unaligned_le16(ip);
@@ -137,10 +157,10 @@ copy_literal_run:
137	while (unlikely(*ip == 0)) {	157	while (unlikely(*ip == 0)) {
138	t += 255;	158	t += 255;
139	ip++;	159	ip++;
140	NEED_IP(1);	160	NEED_IP(1, 0);
141	}	161	}
142	t += 7 + *ip++;	162	t += 7 + *ip++;
143	NEED_IP(2);	163	NEED_IP(2, 0);
144	}	164	}
145	next = get_unaligned_le16(ip);	165	next = get_unaligned_le16(ip);
146	ip += 2;	166	ip += 2;
@@ -154,7 +174,7 @@ copy_literal_run:
154	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)	174	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
155	if (op - m_pos >= 8) {	175	if (op - m_pos >= 8) {
156	unsigned char *oe = op + t;	176	unsigned char *oe = op + t;
157	if (likely(HAVE_OP(t + 15))) {	177	if (likely(HAVE_OP(t, 15))) {
158	do {	178	do {
159	COPY8(op, m_pos);	179	COPY8(op, m_pos);
160	op += 8;	180	op += 8;
@@ -164,7 +184,7 @@ copy_literal_run:
164	m_pos += 8;	184	m_pos += 8;
165	} while (op < oe);	185	} while (op < oe);
166	op = oe;	186	op = oe;
167	if (HAVE_IP(6)) {	187	if (HAVE_IP(6, 0)) {
168	state = next;	188	state = next;
169	COPY4(op, ip);	189	COPY4(op, ip);
170	op += next;	190	op += next;
@@ -172,7 +192,7 @@ copy_literal_run:
172	continue;	192	continue;
173	}	193	}
174	} else {	194	} else {
175	NEED_OP(t);	195	NEED_OP(t, 0);
176	do {	196	do {
177	op++ = m_pos++;	197	op++ = m_pos++;
178	} while (op < oe);	198	} while (op < oe);
@@ -181,7 +201,7 @@ copy_literal_run:
181	#endif	201	#endif
182	{	202	{
183	unsigned char *oe = op + t;	203	unsigned char *oe = op + t;
184	NEED_OP(t);	204	NEED_OP(t, 0);
185	op[0] = m_pos[0];	205	op[0] = m_pos[0];
186	op[1] = m_pos[1];	206	op[1] = m_pos[1];
187	op += 2;	207	op += 2;
@@ -194,15 +214,15 @@ match_next:
194	state = next;	214	state = next;
195	t = next;	215	t = next;
196	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)	216	#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
197	if (likely(HAVE_IP(6) && HAVE_OP(4))) {	217	if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
198	COPY4(op, ip);	218	COPY4(op, ip);
199	op += t;	219	op += t;
200	ip += t;	220	ip += t;
201	} else	221	} else
202	#endif	222	#endif
203	{	223	{
204	NEED_IP(t + 3);	224	NEED_IP(t, 3);
205	NEED_OP(t);	225	NEED_OP(t, 0);
206	while (t > 0) {	226	while (t > 0) {
207	op++ = ip++;	227	op++ = ip++;
208	t--;	228	t--;