[PATCH 3.13 175/198] lz4: ensure length does not wrap
Kamal Mostafa
kamal at canonical.com
Tue Jul 15 21:30:45 UTC 2014
3.13.11.5 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
commit 206204a1162b995e2185275167b22468c00d6b36 upstream.
Given some pathologically compressed data, lz4 could possibly decide to
wrap a few internal variables, causing unknown things to happen. Catch
this before the wrapping happens and abort the decompression.
Reported-by: "Don A. Bailey" <donb at securitymouse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
lib/lz4/lz4_decompress.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index df6839e..99a03ac 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -72,6 +72,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
len = *ip++;
for (; len == 255; length += 255)
len = *ip++;
+ if (unlikely(length > (size_t)(length + len)))
+ goto _output_error;
length += len;
}
--
1.9.1
More information about the kernel-team
mailing list