forked from luck/tmp_suning_uos_patched
uclinux: fix gzip header parsing in binfmt_flat.c
There are off-by-one errors in decompress_exec() when calculating the length of optional "original file name" and "comment" fields: the "ret" index is not incremented when terminating '\0' character is reached. The check of the buffer overflow (after an "extra-field" length was taken into account) is also fixed. I've encountered this off-by-one error when tried to reuse gzip-header-parsing part of the decompress_exec() function. There was an "original file name" field in the payload (with miscalculated length) and zlib_inflate() returned Z_DATA_ERROR. But after the fix similar to this one all worked fine. Signed-off-by: Volodymyr G Lukiianyk <volodymyrgl@gmail.com> Acked-by: Greg Ungerer <gerg@snapgear.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
0c6aa2639e
commit
f4cfb18d79
|
@ -229,13 +229,13 @@ static int decompress_exec(
|
|||
ret = 10;
|
||||
if (buf[3] & EXTRA_FIELD) {
|
||||
ret += 2 + buf[10] + (buf[11] << 8);
|
||||
if (unlikely(LBUFSIZE == ret)) {
|
||||
if (unlikely(LBUFSIZE <= ret)) {
|
||||
DBG_FLT("binfmt_flat: buffer overflow (EXTRA)?\n");
|
||||
goto out_free_buf;
|
||||
}
|
||||
}
|
||||
if (buf[3] & ORIG_NAME) {
|
||||
for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
|
||||
while (ret < LBUFSIZE && buf[ret++] != 0)
|
||||
;
|
||||
if (unlikely(LBUFSIZE == ret)) {
|
||||
DBG_FLT("binfmt_flat: buffer overflow (ORIG_NAME)?\n");
|
||||
|
@ -243,7 +243,7 @@ static int decompress_exec(
|
|||
}
|
||||
}
|
||||
if (buf[3] & COMMENT) {
|
||||
for (; ret < LBUFSIZE && (buf[ret] != 0); ret++)
|
||||
while (ret < LBUFSIZE && buf[ret++] != 0)
|
||||
;
|
||||
if (unlikely(LBUFSIZE == ret)) {
|
||||
DBG_FLT("binfmt_flat: buffer overflow (COMMENT)?\n");
|
||||
|
|
Loading…
Reference in New Issue
Block a user