[merged] decompressors-check-input-size-in-decompress_inflatec.patch removed from -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Thu, 13 Jan 2011 12:10:43 -0800

The patch titled
     decompressors: check input size in decompress_inflate.c
has been removed from the -mm tree.  Its filename was
     decompressors-check-input-size-in-decompress_inflatec.patch

This patch was dropped because it was merged into mainline or a subsystem tree

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: decompressors: check input size in decompress_inflate.c
From: Lasse Collin <lasse.collin@xxxxxxxxxxx>

Check for end of the input buffer when skipping over the filename field in
the .gz file header.

Signed-off-by: Lasse Collin <lasse.collin@xxxxxxxxxxx>
Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
Cc: Alain Knaff <alain@xxxxxxxx>
Cc: Albin Tonnerre <albin.tonnerre@xxxxxxxxxxxxxxxxxx>
Cc: Phillip Lougher <phillip@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 lib/decompress_inflate.c |   17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff -puN lib/decompress_inflate.c~decompressors-check-input-size-in-decompress_inflatec lib/decompress_inflate.c

--- a/lib/decompress_inflate.c~decompressors-check-input-size-in-decompress_inflatec
+++ a/lib/decompress_inflate.c
@@ -98,13 +98,22 @@ STATIC int INIT gunzip(unsigned char *bu
 	 * possible asciz filename)
 	 */
 	strm->next_in = zbuf + 10;
+	strm->avail_in = len - 10;
 	/* skip over asciz filename */
 	if (zbuf[3] & 0x8) {
-		while (strm->next_in[0])
-			strm->next_in++;
-		strm->next_in++;
+		do {
+			/*
+			 * If the filename doesn't fit into the buffer,
+			 * the file is very probably corrupt. Don't try
+			 * to read more data.
+			 */
+			if (strm->avail_in == 0) {
+				error("header error");
+				goto gunzip_5;
+			}
+			--strm->avail_in;
+		} while (*strm->next_in++);
 	}
-	strm->avail_in = len - (strm->next_in - zbuf);
 
 	strm->next_out = out_buf;
 	strm->avail_out = out_len;
_

Patches currently in -mm which might be from lasse.collin@xxxxxxxxxxx are

origin.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





