[PATCH] zlib inflate: Fix potential buffer overflow

From: Guenter Roeck
Date: Mon Apr 03 2017 - 12:14:26 EST

Next message: Michael S. Tsirkin: "Re: Random guest crashes since 5c34d002dcc7 ("virtio_pci: use shared interrupts for virtqueues")"
Previous message: Rob Herring: "Re: [PATCH] of: irq: Export of_irq_count()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

smatch says:

lib/zlib_inflate/inftrees.c:240 zlib_inflate_table() error:
buffer overflow 'count' 16 <= 16

The loop calculating the value for 'min', which is later used to access
count[], can indeed result in an index larger than ARRAY_SIZE(count)
if the array is filled with 0.

Fixes: 4f3865fb57a04 ("zlib_inflate: Upgrade library code to a recent version")
Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
---
lib/zlib_inflate/inftrees.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
index 3fe6ce5b53e5..028943052926 100644
--- a/lib/zlib_inflate/inftrees.c
+++ b/lib/zlib_inflate/inftrees.c
@@ -109,7 +109,7 @@ int zlib_inflate_table(codetype type, unsigned short *lens, unsigned codes,
*bits = 1;
return 0; /* no symbols, but wait for decoding to report error */
}
- for (min = 1; min <= MAXBITS; min++)
+ for (min = 1; min < MAXBITS; min++)
if (count[min] != 0) break;
if (root < min) root = min;

--
2.7.4

Next message: Michael S. Tsirkin: "Re: Random guest crashes since 5c34d002dcc7 ("virtio_pci: use shared interrupts for virtqueues")"
Previous message: Rob Herring: "Re: [PATCH] of: irq: Export of_irq_count()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]