Commit f4cfb18d authored by Volodymyr G. Lukiianyk's avatar Volodymyr G. Lukiianyk Committed by Linus Torvalds

uclinux: fix gzip header parsing in binfmt_flat.c

There are off-by-one errors in decompress_exec() when calculating the length of
optional "original file name" and "comment" fields: the "ret" index is not
incremented when terminating '\0' character is reached. The check of the buffer
overflow (after an "extra-field" length was taken into account) is also fixed.

I've encountered this off-by-one error when tried to reuse
gzip-header-parsing part of the decompress_exec() function.  There was an
"original file name" field in the payload (with miscalculated length) and
zlib_inflate() returned Z_DATA_ERROR.  But after the fix similar to this
one all worked fine.
Signed-off-by: default avatarVolodymyr G Lukiianyk <volodymyrgl@gmail.com>
Acked-by: default avatarGreg Ungerer <gerg@snapgear.com>
Acked-by: default avatarDavid Howells <dhowells@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 0c6aa263
......@@ -229,13 +229,13 @@ static int decompress_exec(
ret = 10;
if (buf[3] & EXTRA_FIELD) {
ret += 2 + buf[10] + (buf[11] << 8);
if (unlikely(LBUFSIZE == ret)) {
if (unlikely(LBUFSIZE <= ret)) {
DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n");
goto out_free_buf;
}
}
if (buf[3] & ORIG_NAME) {
for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
while (ret < LBUFSIZE && buf[ret++] != 0)
;
if (unlikely(LBUFSIZE == ret)) {
DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n");
......@@ -243,7 +243,7 @@ static int decompress_exec(
}
}
if (buf[3] & COMMENT) {
for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
while (ret < LBUFSIZE && buf[ret++] != 0)
;
if (unlikely(LBUFSIZE == ret)) {
DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n");
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment