From: Lasse Collin <[email protected]>
Validation of header.pos calls error() but doesn't make the
function return to indicate an error to the caller. Instead
the decoding is attempted with invalid header.pos. This
fixes it.
Signed-off-by: Lasse Collin <[email protected]>
---
--- linux-2.6.37-rc3/lib/decompress_unlzma.c.orig 2010-10-20 23:30:22.000000000 +0300
+++ linux-2.6.37-rc3/lib/decompress_unlzma.c 2010-11-23 11:07:28.000000000 +0200
@@ -580,8 +580,10 @@ STATIC inline int INIT unlzma(unsigned c
((unsigned char *)&header)[i] = *rc.ptr++;
}
- if (header.pos >= (9 * 5 * 5))
+ if (header.pos >= (9 * 5 * 5)) {
error("bad header");
+ goto exit_1;
+ }
mi = 0;
lc = header.pos;