diff options
author | Phillip Lougher <phillip@lougher.demon.co.uk> | 2009-03-05 00:31:12 +0000 |
---|---|---|
committer | Phillip Lougher <phillip@lougher.demon.co.uk> | 2009-03-05 00:31:12 +0000 |
commit | 118e1ef6fabfc023126e6075f6ac0fc729cb5285 (patch) | |
tree | 3c497ad9fcc5a459de9d75a688bb78c5220e8dd5 /fs/squashfs/cache.c | |
parent | 2450cf51a1bdba7037e91b1bcc494b01c58aaf66 (diff) | |
download | lwn-118e1ef6fabfc023126e6075f6ac0fc729cb5285.tar.gz lwn-118e1ef6fabfc023126e6075f6ac0fc729cb5285.zip |
Squashfs: Fix oops when reading fsfuzzer corrupted filesystems
This fixes a code regression caused by the recent mainlining changes.
The recent code changes call zlib_inflate repeatedly, decompressing into
separate 4K buffers, this code didn't check for the possibility that
zlib_inflate might ask for too many buffers when decompressing corrupted
data.
Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Diffstat (limited to 'fs/squashfs/cache.c')
-rw-r--r-- | fs/squashfs/cache.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/squashfs/cache.c b/fs/squashfs/cache.c index f29eda16d25e..1c4739e33af6 100644 --- a/fs/squashfs/cache.c +++ b/fs/squashfs/cache.c @@ -119,7 +119,7 @@ struct squashfs_cache_entry *squashfs_cache_get(struct super_block *sb, entry->length = squashfs_read_data(sb, entry->data, block, length, &entry->next_index, - cache->block_size); + cache->block_size, cache->pages); spin_lock(&cache->lock); @@ -406,7 +406,7 @@ int squashfs_read_table(struct super_block *sb, void *buffer, u64 block, for (i = 0; i < pages; i++, buffer += PAGE_CACHE_SIZE) data[i] = buffer; res = squashfs_read_data(sb, data, block, length | - SQUASHFS_COMPRESSED_BIT_BLOCK, NULL, length); + SQUASHFS_COMPRESSED_BIT_BLOCK, NULL, length, pages); kfree(data); return res; } |