From 93ebec96f2ae1d3276ebe89e2d6188f9b46692fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= <vincent.stehle@laposte.net>
Date: Wed, 18 Jun 2014 18:51:19 +0200
Subject: btrfs-progs: restore: check lzo compress length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When things go wrong for lzo-compressed btrfs, feeding lzo1x_decompress_safe()
with corrupt data during restore can lead to crashes. Reduce the risk by adding
a check on the input length.

Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: David Sterba <dsterba@suse.cz>
---
 cmds-restore.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'cmds-restore.c')

diff --git a/cmds-restore.c b/cmds-restore.c
index 96b97e1e..43384932 100644
--- a/cmds-restore.c
+++ b/cmds-restore.c
@@ -115,6 +115,12 @@ static int decompress_lzo(unsigned char *inbuf, char *outbuf, u64 compress_len,
 
 	while (tot_in < tot_len) {
 		in_len = read_compress_length(inbuf);
+
+		if ((tot_in + LZO_LEN + in_len) > tot_len) {
+			fprintf(stderr, "bad compress length %lu\n", in_len);
+			return -1;
+		}
+
 		inbuf += LZO_LEN;
 		tot_in += LZO_LEN;
 
-- 
cgit v1.2.3