| From 4148c1f67abf823099b2d7db6851e4aea407f5ee Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Date: Tue, 24 Jun 2014 16:59:01 -0400 |
| Subject: lz4: fix another possible overrun |
| |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| commit 4148c1f67abf823099b2d7db6851e4aea407f5ee upstream. |
| |
| There is one other possible overrun in the lz4 code as implemented by |
| Linux at this point in time (which differs from the upstream lz4 |
| codebase, but will get synced at in a future kernel release.) As |
| pointed out by Don, we also need to check the overflow in the data |
| itself. |
| |
| While we are at it, replace the odd error return value with just a |
| "simple" -1 value as the return value is never used for anything other |
| than a basic "did this work or not" check. |
| |
| Reported-by: "Don A. Bailey" <donb@securitymouse.com> |
| Reported-by: Willy Tarreau <w@1wt.eu> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| lib/lz4/lz4_decompress.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/lib/lz4/lz4_decompress.c |
| +++ b/lib/lz4/lz4_decompress.c |
| @@ -108,6 +108,8 @@ static int lz4_uncompress(const char *so |
| if (length == ML_MASK) { |
| for (; *ip == 255; length += 255) |
| ip++; |
| + if (unlikely(length > (size_t)(length + *ip))) |
| + goto _output_error; |
| length += *ip++; |
| } |
| |
| @@ -157,7 +159,7 @@ static int lz4_uncompress(const char *so |
| |
| /* write overflow error detected */ |
| _output_error: |
| - return (int) (-(((char *)ip) - source)); |
| + return -1; |
| } |
| |
| static int lz4_uncompress_unknownoutputsize(const char *source, char *dest, |