|
Line
Link Here
|
|
Check input buffer size in zisofs |
|
Check input buffer size in zisofs |
| 1 |
|
1 |
|
| 2 |
This uses the new deflateBound() thing to sanity-check the input to the |
2 |
This uses the new deflateBound() thing to sanity-check the input to the |
| 3 |
zlib decompressor before we even bother to start reading in the blocks. |
3 |
zlib decompressor before we even bother to start reading in the blocks. |
| 4 |
|
4 |
|
| 5 |
Problem noted by Tim Yamin <plasmaroo@gentoo.org> |
5 |
Problem noted by Tim Yamin <plasmaroo@gentoo.org> |
| 6 |
-- |
6 |
++ b/fs/isofs/compress.c |
| 7 |
-- a/fs/isofs/compress.c |
|
|
|
Lines 129-136
static int zisofs_readpage(struct file *
Link Here
|
| 129 |
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); |
129 |
cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask))); |
| 130 |
brelse(bh); |
130 |
brelse(bh); |
| 131 |
|
131 |
|
|
|
132 |
if (cstart > cend) |
| 133 |
goto eio; |
| 134 |
|
| 132 |
csize = cend-cstart; |
135 |
csize = cend-cstart; |
| 133 |
|
136 |
|
|
|
137 |
if (csize > deflateBound(1UL << zisofs_block_shift)) |
| 138 |
goto eio; |
| 139 |
|
| 134 |
/* Now page[] contains an array of pages, any of which can be NULL, |
140 |
/* Now page[] contains an array of pages, any of which can be NULL, |
| 135 |
and the locks on which we hold. We should now read the data and |
141 |
and the locks on which we hold. We should now read the data and |
| 136 |
release the pages. If the pages are NULL the decompressed data |
142 |
release the pages. If the pages are NULL the decompressed data |