decompressors: check input size in decompress_inflate.c

Larhzu · torvalds · commit 1da914e0648a · 2011-01-13T08:03:25.000-08:00
Check for end of the input buffer when skipping over the filename field in
the .gz file header.

Signed-off-by: Lasse Collin &lt;lasse.collin@tukaani.org&gt;
Cc: "H. Peter Anvin" &lt;hpa@zytor.com&gt;
Cc: Alain Knaff &lt;alain@knaff.lu&gt;
Cc: Albin Tonnerre &lt;albin.tonnerre@free-electrons.com&gt;
Cc: Phillip Lougher &lt;phillip@lougher.demon.co.uk&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
diff --git a/lib/decompress_inflate.c b/lib/decompress_inflate.c
@@ -98,13 +98,22 @@ STATIC int INIT gunzip(unsigned char *buf, int len,
 	 * possible asciz filename)
 	 */
 	strm->next_in = zbuf + 10;
+	strm->avail_in = len - 10;
 	/* skip over asciz filename */
 	if (zbuf[3] & 0x8) {
-		while (strm->next_in[0])
-			strm->next_in++;
-		strm->next_in++;
+		do {
+			/*
+			 * If the filename doesn't fit into the buffer,
+			 * the file is very probably corrupt. Don't try
+			 * to read more data.
+			 */
+			if (strm->avail_in == 0) {
+				error("header error");
+				goto gunzip_5;
+			}
+			--strm->avail_in;
+		} while (*strm->next_in++);
 	}
-	strm->avail_in = len - (strm->next_in - zbuf);
 
 	strm->next_out = out_buf;
 	strm->avail_out = out_len;
