diff options
author | Vincent Stehlé <vincent.stehle@laposte.net> | 2014-06-18 18:51:19 +0200 |
---|---|---|
committer | David Sterba <dsterba@suse.cz> | 2014-08-22 14:43:09 +0200 |
commit | 93ebec96f2ae1d3276ebe89e2d6188f9b46692fb (patch) | |
tree | 92d561c7abceb47c904b5a3d734dccb11f76793b | |
parent | f8c6dabca56c8aa277c0019fecb3c0169497323a (diff) | |
download | btrfs-progs-93ebec96f2ae1d3276ebe89e2d6188f9b46692fb.tar.gz |
btrfs-progs: restore: check lzo compress length
When things go wrong for lzo-compressed btrfs, feeding lzo1x_decompress_safe()
with corrupt data during restore can lead to crashes. Reduce the risk by adding
a check on the input length.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: David Sterba <dsterba@suse.cz>
-rw-r--r-- | cmds-restore.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/cmds-restore.c b/cmds-restore.c index 96b97e1..4338493 100644 --- a/cmds-restore.c +++ b/cmds-restore.c @@ -115,6 +115,12 @@ static int decompress_lzo(unsigned char *inbuf, char *outbuf, u64 compress_len, while (tot_in < tot_len) { in_len = read_compress_length(inbuf); + + if ((tot_in + LZO_LEN + in_len) > tot_len) { + fprintf(stderr, "bad compress length %lu\n", in_len); + return -1; + } + inbuf += LZO_LEN; tot_in += LZO_LEN; |