diff options
| author | Lasse Collin <lasse.collin@tukaani.org> | 2011-11-11 14:34:24 +0100 |
|---|---|---|
| committer | Lasse Collin <lasse.collin@tukaani.org> | 2011-11-11 14:34:24 +0100 |
| commit | 24bde2170dde6ed1a4a3de7c96a019eb4dae9501 (patch) | |
| tree | d37da72c44a4bdb79c9fa915f4751f36ab8a7582 /xen/common/unlzma.c | |
| parent | 8e8ca04c7bbee50d35582d4f2748d644ebc47086 (diff) | |
| download | xen-24bde2170dde6ed1a4a3de7c96a019eb4dae9501.tar.gz xen-24bde2170dde6ed1a4a3de7c96a019eb4dae9501.tar.bz2 xen-24bde2170dde6ed1a4a3de7c96a019eb4dae9501.zip | |
Decompressors: validate match distance in unlzma.c
From: Lasse Collin <lasse.collin@tukaani.org>
Validate the newly decoded distance (rep0) in process_bit1(). This is to
detect corrupt LZMA data quickly. The old code can run for long time
producing garbage until it hits the end of the input.
Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>
Diffstat (limited to 'xen/common/unlzma.c')
| -rw-r--r-- | xen/common/unlzma.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/xen/common/unlzma.c b/xen/common/unlzma.c index 6dcd7ba20b..87b9e0a964 100644 --- a/xen/common/unlzma.c +++ b/xen/common/unlzma.c @@ -516,6 +516,9 @@ static inline int INIT process_bit1(struct writer *wr, struct rc *rc, cst->rep0 = pos_slot; if (++(cst->rep0) == 0) return 0; + if (cst->rep0 > wr->header->dict_size + || cst->rep0 > get_pos(wr)) + return -1; } len += LZMA_MATCH_MIN_LEN; |