+ zlib-inflate-fix-potential-buffer-overflow.patch added to -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Mon, 03 Apr 2017 15:32:59 -0700

The patch titled
     Subject: lib/zlib_inflate/inftrees.c: fix potential buffer overflow
has been added to the -mm tree.  Its filename is
     zlib-inflate-fix-potential-buffer-overflow.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/zlib-inflate-fix-potential-buffer-overflow.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/zlib-inflate-fix-potential-buffer-overflow.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Guenter Roeck <linux@xxxxxxxxxxxx>
Subject: lib/zlib_inflate/inftrees.c: fix potential buffer overflow

smatch says:

lib/zlib_inflate/inftrees.c:240 zlib_inflate_table() error:
	buffer overflow 'count' 16 <= 16

The loop calculating the value for 'min', which is later used to access
count[], can indeed result in an index larger than ARRAY_SIZE(count)
if the array is filled with 0.

Fixes: 4f3865fb57a04 ("zlib_inflate: Upgrade library code to a recent version")
Link: http://lkml.kernel.org/r/1491236059-32592-1-git-send-email-linux@xxxxxxxxxxxx
Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 lib/zlib_inflate/inftrees.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN lib/zlib_inflate/inftrees.c~zlib-inflate-fix-potential-buffer-overflow lib/zlib_inflate/inftrees.c

--- a/lib/zlib_inflate/inftrees.c~zlib-inflate-fix-potential-buffer-overflow
+++ a/lib/zlib_inflate/inftrees.c
@@ -109,7 +109,7 @@ int zlib_inflate_table(codetype type, un
         *bits = 1;
         return 0;     /* no symbols, but wait for decoding to report error */
     }
-    for (min = 1; min <= MAXBITS; min++)
+    for (min = 1; min < MAXBITS; min++)
         if (count[min] != 0) break;
     if (root < min) root = min;
 
_

Patches currently in -mm which might be from linux@xxxxxxxxxxxx are

zlib-inflate-fix-potential-buffer-overflow.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






