36 lines
1.4 KiB
Diff
36 lines
1.4 KiB
Diff
From dc57230636fe8da068674e1023b2f07c593ec21b Mon Sep 17 00:00:00 2001
|
|
From: Con Kolivas <kernel@kolivas.org>
|
|
Date: Wed, 16 May 2018 14:30:15 +1000
|
|
Subject: [PATCH] Cope with compressed length being longer than uncompressed
|
|
and rounding up, attending to CVE-2017-8844.
|
|
|
|
---
|
|
stream.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/stream.c b/stream.c
|
|
index 4ef910e..01b883a 100644
|
|
--- a/stream.c
|
|
+++ b/stream.c
|
|
@@ -1564,7 +1564,7 @@ static void *ucompthread(void *data)
|
|
/* fill a buffer from a stream - return -1 on failure */
|
|
static int fill_buffer(rzip_control *control, struct stream_info *sinfo, int streamno)
|
|
{
|
|
- i64 u_len, c_len, last_head, padded_len, header_length;
|
|
+ i64 u_len, c_len, last_head, padded_len, header_length, max_len;
|
|
uchar enc_head[25 + SALT_LEN], blocksalt[SALT_LEN];
|
|
struct stream *s = &sinfo->s[streamno];
|
|
stream_thread_struct *st;
|
|
@@ -1639,7 +1639,9 @@ static int fill_buffer(rzip_control *control, struct stream_info *sinfo, int str
|
|
|
|
if (unlikely(u_len > control->maxram))
|
|
fatal_return(("Unable to malloc buffer of size %lld in this environment\n", u_len), -1);
|
|
- s_buf = malloc(MAX(u_len, MIN_SIZE));
|
|
+ max_len = MAX(u_len, MIN_SIZE);
|
|
+ max_len = MAX(max_len, c_len);
|
|
+ s_buf = malloc(max_len);
|
|
if (unlikely(u_len && !s_buf))
|
|
fatal_return(("Unable to malloc buffer of size %lld in fill_buffer\n", u_len), -1);
|
|
sinfo->ram_alloced += u_len;
|
|
|