mirror of
https://github.com/joel16/android_kernel_sony_msm8994_rework.git
synced 2025-01-01 09:08:55 +00:00
Check input buffer size in zisofs
This uses the new deflateBound() thing to sanity-check the input to the zlib decompressor before we even bother to start reading in the blocks. Problem noted by Tim Yamin <plasmaroo@gentoo.org>
This commit is contained in:
parent
243393c90f
commit
fab5a60a29
@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *file, struct page *page)
|
||||
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
|
||||
brelse(bh);
|
||||
|
||||
if (cstart > cend)
|
||||
goto eio;
|
||||
|
||||
csize = cend-cstart;
|
||||
|
||||
if (csize > deflateBound(1UL << zisofs_block_shift))
|
||||
goto eio;
|
||||
|
||||
/* Now page[] contains an array of pages, any of which can be NULL,
|
||||
and the locks on which we hold. We should now read the data and
|
||||
release the pages. If the pages are NULL the decompressed data
|
||||
|
Loading…
Reference in New Issue
Block a user