summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVincent Stehlé <vincent.stehle@laposte.net>2014-06-18 18:51:19 +0200
committerDavid Sterba <dsterba@suse.cz>2014-08-22 14:43:09 +0200
commit93ebec96f2ae1d3276ebe89e2d6188f9b46692fb (patch)
tree92d561c7abceb47c904b5a3d734dccb11f76793b
parentf8c6dabca56c8aa277c0019fecb3c0169497323a (diff)
downloadbtrfs-progs-93ebec96f2ae1d3276ebe89e2d6188f9b46692fb.tar.gz
btrfs-progs: restore: check lzo compress length
When things go wrong for lzo-compressed btrfs, feeding lzo1x_decompress_safe() with corrupt data during restore can lead to crashes. Reduce the risk by adding a check on the input length. Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net> Signed-off-by: David Sterba <dsterba@suse.cz>
-rw-r--r--cmds-restore.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/cmds-restore.c b/cmds-restore.c
index 96b97e1..4338493 100644
--- a/cmds-restore.c
+++ b/cmds-restore.c
@@ -115,6 +115,12 @@ static int decompress_lzo(unsigned char *inbuf, char *outbuf, u64 compress_len,
while (tot_in < tot_len) {
in_len = read_compress_length(inbuf);
+
+ if ((tot_in + LZO_LEN + in_len) > tot_len) {
+ fprintf(stderr, "bad compress length %lu\n", in_len);
+ return -1;
+ }
+
inbuf += LZO_LEN;
tot_in += LZO_LEN;