commit 1da914e0648ace34e1c3738d9584e8b2cd6fe64a
author Lasse Collin <lasse.collin@tukaani.org> Wed Jan 12 17:01:25 2011 -0800
committer Linus Torvalds <torvalds@linux-foundation.org> Thu Jan 13 08:03:25 2011 -0800
tree d52798bed2086ea7fd9182ff1e9ddae8b09c4740
parent 303148045aac34b70db722a54e5ad94a3a6625c6

decompressors: check input size in decompress_inflate.c

Check for end of the input buffer when skipping over the filename field in
the .gz file header.

Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alain Knaff <alain@knaff.lu>
Cc: Albin Tonnerre <albin.tonnerre@free-electrons.com>
Cc: Phillip Lougher <phillip@lougher.demon.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

lib/decompress_inflate.c

diff --git a/lib/decompress_inflate.c b/lib/decompress_inflate.c
index b5fe1d1..19ff89e 100644
--- a/lib/decompress_inflate.c
+++ b/lib/decompress_inflate.c
@@ -98,13 +98,22 @@
 	 * possible asciz filename)
 	 */
 	strm->next_in = zbuf + 10;
+	strm->avail_in = len - 10;
 	/* skip over asciz filename */
 	if (zbuf[3] & 0x8) {
-		while (strm->next_in[0])
-			strm->next_in++;
-		strm->next_in++;
+		do {
+			/*
+			 * If the filename doesn't fit into the buffer,
+			 * the file is very probably corrupt. Don't try
+			 * to read more data.
+			 */
+			if (strm->avail_in == 0) {
+				error("header error");
+				goto gunzip_5;
+			}
+			--strm->avail_in;
+		} while (*strm->next_in++);
 	}
-	strm->avail_in = len - (strm->next_in - zbuf);
 
 	strm->next_out = out_buf;
 	strm->avail_out = out_len;