aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-06-23 20:05:28 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2014-06-23 20:05:28 -0400
commit8b8f5d9715845f9ae2b89ce406e71877965b29ca (patch)
tree2d8052aaec3138e5871ad675cf15370fbf27f1ac /lib
parent04b5da4a14eef2ed1b92fd762be80fa1ba7a6461 (diff)
parent206204a1162b995e2185275167b22468c00d6b36 (diff)
Merge tag 'compress-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull compress bugfixes from Greg KH: "Here are two bugfixes for some compression functions that resolve some errors when uncompressing some pathalogical data. Both were found by Don A Bailey" * tag 'compress-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: lz4: ensure length does not wrap lzo: properly check for overruns
Diffstat (limited to 'lib')
-rw-r--r--lib/lz4/lz4_decompress.c2
-rw-r--r--lib/lzo/lzo1x_decompress_safe.c62
2 files changed, 43 insertions, 21 deletions
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index df6839e3ce08..99a03acb7d47 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
72 len = *ip++; 72 len = *ip++;
73 for (; len == 255; length += 255) 73 for (; len == 255; length += 255)
74 len = *ip++; 74 len = *ip++;
75 if (unlikely(length > (size_t)(length + len)))
76 goto _output_error;
75 length += len; 77 length += len;
76 } 78 }
77 79
diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c
index 569985d522d5..8563081e8da3 100644
--- a/lib/lzo/lzo1x_decompress_safe.c
+++ b/lib/lzo/lzo1x_decompress_safe.c
@@ -19,11 +19,31 @@
19#include <linux/lzo.h> 19#include <linux/lzo.h>
20#include "lzodefs.h" 20#include "lzodefs.h"
21 21
22#define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x)) 22#define HAVE_IP(t, x) \
23#define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x)) 23 (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \
24#define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun 24 (((t + x) >= t) && ((t + x) >= x)))
25#define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun 25
26#define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun 26#define HAVE_OP(t, x) \
27 (((size_t)(op_end - op) >= (size_t)(t + x)) && \
28 (((t + x) >= t) && ((t + x) >= x)))
29
30#define NEED_IP(t, x) \
31 do { \
32 if (!HAVE_IP(t, x)) \
33 goto input_overrun; \
34 } while (0)
35
36#define NEED_OP(t, x) \
37 do { \
38 if (!HAVE_OP(t, x)) \
39 goto output_overrun; \
40 } while (0)
41
42#define TEST_LB(m_pos) \
43 do { \
44 if ((m_pos) < out) \
45 goto lookbehind_overrun; \
46 } while (0)
27 47
28int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, 48int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
29 unsigned char *out, size_t *out_len) 49 unsigned char *out, size_t *out_len)
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
58 while (unlikely(*ip == 0)) { 78 while (unlikely(*ip == 0)) {
59 t += 255; 79 t += 255;
60 ip++; 80 ip++;
61 NEED_IP(1); 81 NEED_IP(1, 0);
62 } 82 }
63 t += 15 + *ip++; 83 t += 15 + *ip++;
64 } 84 }
65 t += 3; 85 t += 3;
66copy_literal_run: 86copy_literal_run:
67#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) 87#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
68 if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) { 88 if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) {
69 const unsigned char *ie = ip + t; 89 const unsigned char *ie = ip + t;
70 unsigned char *oe = op + t; 90 unsigned char *oe = op + t;
71 do { 91 do {
@@ -81,8 +101,8 @@ copy_literal_run:
81 } else 101 } else
82#endif 102#endif
83 { 103 {
84 NEED_OP(t); 104 NEED_OP(t, 0);
85 NEED_IP(t + 3); 105 NEED_IP(t, 3);
86 do { 106 do {
87 *op++ = *ip++; 107 *op++ = *ip++;
88 } while (--t > 0); 108 } while (--t > 0);
@@ -95,7 +115,7 @@ copy_literal_run:
95 m_pos -= t >> 2; 115 m_pos -= t >> 2;
96 m_pos -= *ip++ << 2; 116 m_pos -= *ip++ << 2;
97 TEST_LB(m_pos); 117 TEST_LB(m_pos);
98 NEED_OP(2); 118 NEED_OP(2, 0);
99 op[0] = m_pos[0]; 119 op[0] = m_pos[0];
100 op[1] = m_pos[1]; 120 op[1] = m_pos[1];
101 op += 2; 121 op += 2;
@@ -119,10 +139,10 @@ copy_literal_run:
119 while (unlikely(*ip == 0)) { 139 while (unlikely(*ip == 0)) {
120 t += 255; 140 t += 255;
121 ip++; 141 ip++;
122 NEED_IP(1); 142 NEED_IP(1, 0);
123 } 143 }
124 t += 31 + *ip++; 144 t += 31 + *ip++;
125 NEED_IP(2); 145 NEED_IP(2, 0);
126 } 146 }
127 m_pos = op - 1; 147 m_pos = op - 1;
128 next = get_unaligned_le16(ip); 148 next = get_unaligned_le16(ip);
@@ -137,10 +157,10 @@ copy_literal_run:
137 while (unlikely(*ip == 0)) { 157 while (unlikely(*ip == 0)) {
138 t += 255; 158 t += 255;
139 ip++; 159 ip++;
140 NEED_IP(1); 160 NEED_IP(1, 0);
141 } 161 }
142 t += 7 + *ip++; 162 t += 7 + *ip++;
143 NEED_IP(2); 163 NEED_IP(2, 0);
144 } 164 }
145 next = get_unaligned_le16(ip); 165 next = get_unaligned_le16(ip);
146 ip += 2; 166 ip += 2;
@@ -154,7 +174,7 @@ copy_literal_run:
154#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) 174#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
155 if (op - m_pos >= 8) { 175 if (op - m_pos >= 8) {
156 unsigned char *oe = op + t; 176 unsigned char *oe = op + t;
157 if (likely(HAVE_OP(t + 15))) { 177 if (likely(HAVE_OP(t, 15))) {
158 do { 178 do {
159 COPY8(op, m_pos); 179 COPY8(op, m_pos);
160 op += 8; 180 op += 8;
@@ -164,7 +184,7 @@ copy_literal_run:
164 m_pos += 8; 184 m_pos += 8;
165 } while (op < oe); 185 } while (op < oe);
166 op = oe; 186 op = oe;
167 if (HAVE_IP(6)) { 187 if (HAVE_IP(6, 0)) {
168 state = next; 188 state = next;
169 COPY4(op, ip); 189 COPY4(op, ip);
170 op += next; 190 op += next;
@@ -172,7 +192,7 @@ copy_literal_run:
172 continue; 192 continue;
173 } 193 }
174 } else { 194 } else {
175 NEED_OP(t); 195 NEED_OP(t, 0);
176 do { 196 do {
177 *op++ = *m_pos++; 197 *op++ = *m_pos++;
178 } while (op < oe); 198 } while (op < oe);
@@ -181,7 +201,7 @@ copy_literal_run:
181#endif 201#endif
182 { 202 {
183 unsigned char *oe = op + t; 203 unsigned char *oe = op + t;
184 NEED_OP(t); 204 NEED_OP(t, 0);
185 op[0] = m_pos[0]; 205 op[0] = m_pos[0];
186 op[1] = m_pos[1]; 206 op[1] = m_pos[1];
187 op += 2; 207 op += 2;
@@ -194,15 +214,15 @@ match_next:
194 state = next; 214 state = next;
195 t = next; 215 t = next;
196#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) 216#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
197 if (likely(HAVE_IP(6) && HAVE_OP(4))) { 217 if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) {
198 COPY4(op, ip); 218 COPY4(op, ip);
199 op += t; 219 op += t;
200 ip += t; 220 ip += t;
201 } else 221 } else
202#endif 222#endif
203 { 223 {
204 NEED_IP(t + 3); 224 NEED_IP(t, 3);
205 NEED_OP(t); 225 NEED_OP(t, 0);
206 while (t > 0) { 226 while (t > 0) {
207 *op++ = *ip++; 227 *op++ = *ip++;
208 t--; 228 t--;