joel16/android_kernel_sony_msm8994
1
0
Fork 0
mirror of https://github.com/joel16/android_kernel_sony_msm8994.git synced 2024-11-23 12:10:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

lz4: fix another possible overrun

Browse Source 
(cherry pick from commit 4148c1f67abf823099b2d7db6851e4aea407f5ee)

There is one other possible overrun in the lz4 code as implemented by
Linux at this point in time (which differs from the upstream lz4
codebase, but will get synced at in a future kernel release.)  As
pointed out by Don, we also need to check the overflow in the data
itself.

While we are at it, replace the odd error return value with just a
"simple" -1 value as the return value is never used for anything other
than a basic "did this work or not" check.

Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Reported-by: Willy Tarreau <w@1wt.eu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 24810447
Change-Id: If06c4719c0b6db3e3e9b693b50fa2218ed1f5078
This commit is contained in:
Greg Kroah-Hartman 2014-06-24 16:59:01 -04:00 committed by Swetha Chikkaboraiah
parent cef0bb5205
commit d3a1cd46cd
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/lz4/lz4_decompress.c
View File

@ -108,6 +108,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
if (length == ML_MASK) {
for (; *ip == 255; length += 255)
ip++;
if (unlikely(length > (size_t)(length + *ip)))
goto _output_error;
length += *ip++;
}
@ -157,7 +159,7 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
/* write overflow error detected */
_output_error:
return (int) (-(((char *)ip) - source));
return -1;
}
static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,