diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-23 20:05:28 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-23 20:05:28 -0400 |
commit | 8b8f5d9715845f9ae2b89ce406e71877965b29ca (patch) | |
tree | 2d8052aaec3138e5871ad675cf15370fbf27f1ac /lib | |
parent | 04b5da4a14eef2ed1b92fd762be80fa1ba7a6461 (diff) | |
parent | 206204a1162b995e2185275167b22468c00d6b36 (diff) |
Merge tag 'compress-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull compress bugfixes from Greg KH:
"Here are two bugfixes for some compression functions that resolve some
errors when uncompressing some pathalogical data. Both were found by
Don A Bailey"
* tag 'compress-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
lz4: ensure length does not wrap
lzo: properly check for overruns
Diffstat (limited to 'lib')
-rw-r--r-- | lib/lz4/lz4_decompress.c | 2 | ||||
-rw-r--r-- | lib/lzo/lzo1x_decompress_safe.c | 62 |
2 files changed, 43 insertions, 21 deletions
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c index df6839e3ce08..99a03acb7d47 100644 --- a/lib/lz4/lz4_decompress.c +++ b/lib/lz4/lz4_decompress.c | |||
@@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize) | |||
72 | len = *ip++; | 72 | len = *ip++; |
73 | for (; len == 255; length += 255) | 73 | for (; len == 255; length += 255) |
74 | len = *ip++; | 74 | len = *ip++; |
75 | if (unlikely(length > (size_t)(length + len))) | ||
76 | goto _output_error; | ||
75 | length += len; | 77 | length += len; |
76 | } | 78 | } |
77 | 79 | ||
diff --git a/lib/lzo/lzo1x_decompress_safe.c b/lib/lzo/lzo1x_decompress_safe.c index 569985d522d5..8563081e8da3 100644 --- a/lib/lzo/lzo1x_decompress_safe.c +++ b/lib/lzo/lzo1x_decompress_safe.c | |||
@@ -19,11 +19,31 @@ | |||
19 | #include <linux/lzo.h> | 19 | #include <linux/lzo.h> |
20 | #include "lzodefs.h" | 20 | #include "lzodefs.h" |
21 | 21 | ||
22 | #define HAVE_IP(x) ((size_t)(ip_end - ip) >= (size_t)(x)) | 22 | #define HAVE_IP(t, x) \ |
23 | #define HAVE_OP(x) ((size_t)(op_end - op) >= (size_t)(x)) | 23 | (((size_t)(ip_end - ip) >= (size_t)(t + x)) && \ |
24 | #define NEED_IP(x) if (!HAVE_IP(x)) goto input_overrun | 24 | (((t + x) >= t) && ((t + x) >= x))) |
25 | #define NEED_OP(x) if (!HAVE_OP(x)) goto output_overrun | 25 | |
26 | #define TEST_LB(m_pos) if ((m_pos) < out) goto lookbehind_overrun | 26 | #define HAVE_OP(t, x) \ |
27 | (((size_t)(op_end - op) >= (size_t)(t + x)) && \ | ||
28 | (((t + x) >= t) && ((t + x) >= x))) | ||
29 | |||
30 | #define NEED_IP(t, x) \ | ||
31 | do { \ | ||
32 | if (!HAVE_IP(t, x)) \ | ||
33 | goto input_overrun; \ | ||
34 | } while (0) | ||
35 | |||
36 | #define NEED_OP(t, x) \ | ||
37 | do { \ | ||
38 | if (!HAVE_OP(t, x)) \ | ||
39 | goto output_overrun; \ | ||
40 | } while (0) | ||
41 | |||
42 | #define TEST_LB(m_pos) \ | ||
43 | do { \ | ||
44 | if ((m_pos) < out) \ | ||
45 | goto lookbehind_overrun; \ | ||
46 | } while (0) | ||
27 | 47 | ||
28 | int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, | 48 | int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, |
29 | unsigned char *out, size_t *out_len) | 49 | unsigned char *out, size_t *out_len) |
@@ -58,14 +78,14 @@ int lzo1x_decompress_safe(const unsigned char *in, size_t in_len, | |||
58 | while (unlikely(*ip == 0)) { | 78 | while (unlikely(*ip == 0)) { |
59 | t += 255; | 79 | t += 255; |
60 | ip++; | 80 | ip++; |
61 | NEED_IP(1); | 81 | NEED_IP(1, 0); |
62 | } | 82 | } |
63 | t += 15 + *ip++; | 83 | t += 15 + *ip++; |
64 | } | 84 | } |
65 | t += 3; | 85 | t += 3; |
66 | copy_literal_run: | 86 | copy_literal_run: |
67 | #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) | 87 | #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) |
68 | if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) { | 88 | if (likely(HAVE_IP(t, 15) && HAVE_OP(t, 15))) { |
69 | const unsigned char *ie = ip + t; | 89 | const unsigned char *ie = ip + t; |
70 | unsigned char *oe = op + t; | 90 | unsigned char *oe = op + t; |
71 | do { | 91 | do { |
@@ -81,8 +101,8 @@ copy_literal_run: | |||
81 | } else | 101 | } else |
82 | #endif | 102 | #endif |
83 | { | 103 | { |
84 | NEED_OP(t); | 104 | NEED_OP(t, 0); |
85 | NEED_IP(t + 3); | 105 | NEED_IP(t, 3); |
86 | do { | 106 | do { |
87 | *op++ = *ip++; | 107 | *op++ = *ip++; |
88 | } while (--t > 0); | 108 | } while (--t > 0); |
@@ -95,7 +115,7 @@ copy_literal_run: | |||
95 | m_pos -= t >> 2; | 115 | m_pos -= t >> 2; |
96 | m_pos -= *ip++ << 2; | 116 | m_pos -= *ip++ << 2; |
97 | TEST_LB(m_pos); | 117 | TEST_LB(m_pos); |
98 | NEED_OP(2); | 118 | NEED_OP(2, 0); |
99 | op[0] = m_pos[0]; | 119 | op[0] = m_pos[0]; |
100 | op[1] = m_pos[1]; | 120 | op[1] = m_pos[1]; |
101 | op += 2; | 121 | op += 2; |
@@ -119,10 +139,10 @@ copy_literal_run: | |||
119 | while (unlikely(*ip == 0)) { | 139 | while (unlikely(*ip == 0)) { |
120 | t += 255; | 140 | t += 255; |
121 | ip++; | 141 | ip++; |
122 | NEED_IP(1); | 142 | NEED_IP(1, 0); |
123 | } | 143 | } |
124 | t += 31 + *ip++; | 144 | t += 31 + *ip++; |
125 | NEED_IP(2); | 145 | NEED_IP(2, 0); |
126 | } | 146 | } |
127 | m_pos = op - 1; | 147 | m_pos = op - 1; |
128 | next = get_unaligned_le16(ip); | 148 | next = get_unaligned_le16(ip); |
@@ -137,10 +157,10 @@ copy_literal_run: | |||
137 | while (unlikely(*ip == 0)) { | 157 | while (unlikely(*ip == 0)) { |
138 | t += 255; | 158 | t += 255; |
139 | ip++; | 159 | ip++; |
140 | NEED_IP(1); | 160 | NEED_IP(1, 0); |
141 | } | 161 | } |
142 | t += 7 + *ip++; | 162 | t += 7 + *ip++; |
143 | NEED_IP(2); | 163 | NEED_IP(2, 0); |
144 | } | 164 | } |
145 | next = get_unaligned_le16(ip); | 165 | next = get_unaligned_le16(ip); |
146 | ip += 2; | 166 | ip += 2; |
@@ -154,7 +174,7 @@ copy_literal_run: | |||
154 | #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) | 174 | #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) |
155 | if (op - m_pos >= 8) { | 175 | if (op - m_pos >= 8) { |
156 | unsigned char *oe = op + t; | 176 | unsigned char *oe = op + t; |
157 | if (likely(HAVE_OP(t + 15))) { | 177 | if (likely(HAVE_OP(t, 15))) { |
158 | do { | 178 | do { |
159 | COPY8(op, m_pos); | 179 | COPY8(op, m_pos); |
160 | op += 8; | 180 | op += 8; |
@@ -164,7 +184,7 @@ copy_literal_run: | |||
164 | m_pos += 8; | 184 | m_pos += 8; |
165 | } while (op < oe); | 185 | } while (op < oe); |
166 | op = oe; | 186 | op = oe; |
167 | if (HAVE_IP(6)) { | 187 | if (HAVE_IP(6, 0)) { |
168 | state = next; | 188 | state = next; |
169 | COPY4(op, ip); | 189 | COPY4(op, ip); |
170 | op += next; | 190 | op += next; |
@@ -172,7 +192,7 @@ copy_literal_run: | |||
172 | continue; | 192 | continue; |
173 | } | 193 | } |
174 | } else { | 194 | } else { |
175 | NEED_OP(t); | 195 | NEED_OP(t, 0); |
176 | do { | 196 | do { |
177 | *op++ = *m_pos++; | 197 | *op++ = *m_pos++; |
178 | } while (op < oe); | 198 | } while (op < oe); |
@@ -181,7 +201,7 @@ copy_literal_run: | |||
181 | #endif | 201 | #endif |
182 | { | 202 | { |
183 | unsigned char *oe = op + t; | 203 | unsigned char *oe = op + t; |
184 | NEED_OP(t); | 204 | NEED_OP(t, 0); |
185 | op[0] = m_pos[0]; | 205 | op[0] = m_pos[0]; |
186 | op[1] = m_pos[1]; | 206 | op[1] = m_pos[1]; |
187 | op += 2; | 207 | op += 2; |
@@ -194,15 +214,15 @@ match_next: | |||
194 | state = next; | 214 | state = next; |
195 | t = next; | 215 | t = next; |
196 | #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) | 216 | #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) |
197 | if (likely(HAVE_IP(6) && HAVE_OP(4))) { | 217 | if (likely(HAVE_IP(6, 0) && HAVE_OP(4, 0))) { |
198 | COPY4(op, ip); | 218 | COPY4(op, ip); |
199 | op += t; | 219 | op += t; |
200 | ip += t; | 220 | ip += t; |
201 | } else | 221 | } else |
202 | #endif | 222 | #endif |
203 | { | 223 | { |
204 | NEED_IP(t + 3); | 224 | NEED_IP(t, 3); |
205 | NEED_OP(t); | 225 | NEED_OP(t, 0); |
206 | while (t > 0) { | 226 | while (t > 0) { |
207 | *op++ = *ip++; | 227 | *op++ = *ip++; |
208 | t--; | 228 | t--; |