提交 278208d9 编写于 作者: L Lasse Collin 提交者: Linus Torvalds

Decompressors: check for read errors in decompress_unlzma.c

Return value of rc->fill() is checked in rc_read() and error() is called
when needed, but then the code continues as if nothing had happened.

rc_read() is a void function and it's on the top of performance critical
call stacks, so propagating the error code via return values doesn't sound
like the best fix.  It seems better to check rc->buffer_size (which holds
the return value of rc->fill()) in the main loop.  It does nothing bad
that the code runs a little with unknown data after a failed rc->fill().

This fixes an infinite loop in initramfs decompression if the
LZMA-compressed initramfs image is corrupt.
Signed-off-by: NLasse Collin <lasse.collin@tukaani.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alain Knaff <alain@knaff.lu>
Cc: Albin Tonnerre <albin.tonnerre@free-electrons.com>
Cc: Phillip Lougher <phillip@lougher.demon.co.uk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 8218a437
...@@ -631,6 +631,8 @@ STATIC inline int INIT unlzma(unsigned char *buf, int in_len, ...@@ -631,6 +631,8 @@ STATIC inline int INIT unlzma(unsigned char *buf, int in_len,
if (cst.rep0 == 0) if (cst.rep0 == 0)
break; break;
} }
if (rc.buffer_size <= 0)
goto exit_3;
} }
if (posp) if (posp)
...@@ -638,6 +640,7 @@ STATIC inline int INIT unlzma(unsigned char *buf, int in_len, ...@@ -638,6 +640,7 @@ STATIC inline int INIT unlzma(unsigned char *buf, int in_len,
if (wr.flush) if (wr.flush)
wr.flush(wr.buffer, wr.buffer_pos); wr.flush(wr.buffer, wr.buffer_pos);
ret = 0; ret = 0;
exit_3:
large_free(p); large_free(p);
exit_2: exit_2:
if (!output) if (!output)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册