--- /dev/null
+From 4148c1f67abf823099b2d7db6851e4aea407f5ee Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Jun 2014 16:59:01 -0400
+Subject: lz4: fix another possible overrun
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 4148c1f67abf823099b2d7db6851e4aea407f5ee upstream.
+
+There is one other possible overrun in the lz4 code as implemented by
+Linux at this point in time (which differs from the upstream lz4
+codebase, but will get synced at in a future kernel release.) As
+pointed out by Don, we also need to check the overflow in the data
+itself.
+
+While we are at it, replace the odd error return value with just a
+"simple" -1 value as the return value is never used for anything other
+than a basic "did this work or not" check.
+
+Reported-by: "Don A. Bailey" <donb@securitymouse.com>
+Reported-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/lz4/lz4_decompress.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/lz4/lz4_decompress.c
++++ b/lib/lz4/lz4_decompress.c
+@@ -108,6 +108,8 @@ static int lz4_uncompress(const char *so
+ if (length == ML_MASK) {
+ for (; *ip == 255; length += 255)
+ ip++;
++ if (unlikely(length > (size_t)(length + *ip)))
++ goto _output_error;
+ length += *ip++;
+ }
+
+@@ -157,7 +159,7 @@ static int lz4_uncompress(const char *so
+
+ /* write overflow error detected */
+ _output_error:
+- return (int) (-(((char *)ip) - source));
++ return -1;
+ }
+
+ static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,
projects / thirdparty / kernel / stable-queue.git / commitdiff
