decompressors: check input size in decompress_inflate.c

Check for end of the input buffer when skipping over the filename field in
the .gz file header.

Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alain Knaff <alain@knaff.lu>
Cc: Albin Tonnerre <albin.tonnerre@free-electrons.com>
Cc: Phillip Lougher <phillip@lougher.demon.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/lib/decompress_inflate.c b/lib/decompress_inflate.c
index b5fe1d1..19ff89e 100644 (file)
--- a/lib/decompress_inflate.c
+++ b/lib/decompress_inflate.c
@@ -98,13 +98,22 @@ STATIC int INIT gunzip(unsigned char *buf, int len,
         * possible asciz filename)
         */
        strm->next_in = zbuf + 10;
+       strm->avail_in = len - 10;
        /* skip over asciz filename */
        if (zbuf[3] & 0x8) {
-               while (strm->next_in[0])
-                       strm->next_in++;
-               strm->next_in++;
+               do {
+                       /*
+                        * If the filename doesn't fit into the buffer,
+                        * the file is very probably corrupt. Don't try
+                        * to read more data.
+                        */
+                       if (strm->avail_in == 0) {
+                               error("header error");
+                               goto gunzip_5;
+                       }
+                       --strm->avail_in;
+               } while (*strm->next_in++);
        }
-       strm->avail_in = len - (strm->next_in - zbuf);
 
        strm->next_out = out_buf;
        strm->avail_out = out_len;