decompressors: check input size in decompress_inflate.c
Check for end of the input buffer when skipping over the filename field in the .gz file header. Signed-off-by: Lasse Collin <lasse.collin@tukaani.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Alain Knaff <alain@knaff.lu> Cc: Albin Tonnerre <albin.tonnerre@free-electrons.com> Cc: Phillip Lougher <phillip@lougher.demon.co.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
303148045a
commit
1da914e064
|
@ -98,13 +98,22 @@ STATIC int INIT gunzip(unsigned char *buf, int len,
|
|||
* possible asciz filename)
|
||||
*/
|
||||
strm->next_in = zbuf + 10;
|
||||
strm->avail_in = len - 10;
|
||||
/* skip over asciz filename */
|
||||
if (zbuf[3] & 0x8) {
|
||||
while (strm->next_in[0])
|
||||
strm->next_in++;
|
||||
strm->next_in++;
|
||||
do {
|
||||
/*
|
||||
* If the filename doesn't fit into the buffer,
|
||||
* the file is very probably corrupt. Don't try
|
||||
* to read more data.
|
||||
*/
|
||||
if (strm->avail_in == 0) {
|
||||
error("header error");
|
||||
goto gunzip_5;
|
||||
}
|
||||
--strm->avail_in;
|
||||
} while (*strm->next_in++);
|
||||
}
|
||||
strm->avail_in = len - (strm->next_in - zbuf);
|
||||
|
||||
strm->next_out = out_buf;
|
||||
strm->avail_out = out_len;
|
||||
|
|
Loading…
Reference in New Issue