2010-11-23 10:16:17

by Lasse Collin

[permalink] [raw]
Subject: [PATCH 1/4] Decompressors: Fix header validation in decompress_unlzma.c

From: Lasse Collin <[email protected]>

Validation of header.pos calls error() but doesn't make the
function return to indicate an error to the caller. Instead
the decoding is attempted with invalid header.pos. This
fixes it.

Signed-off-by: Lasse Collin <[email protected]>
---

--- linux-2.6.37-rc3/lib/decompress_unlzma.c.orig 2010-10-20 23:30:22.000000000 +0300
+++ linux-2.6.37-rc3/lib/decompress_unlzma.c 2010-11-23 11:07:28.000000000 +0200
@@ -580,8 +580,10 @@ STATIC inline int INIT unlzma(unsigned c
((unsigned char *)&header)[i] = *rc.ptr++;
}

- if (header.pos >= (9 * 5 * 5))
+ if (header.pos >= (9 * 5 * 5)) {
error("bad header");
+ goto exit_1;
+ }

mi = 0;
lc = header.pos;