| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Apr 2017 09:14:19 -0700
From: Guenter Roeck <linux@...ck-us.net>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org, Guenter Roeck <linux@...ck-us.net>
Subject: [PATCH] zlib inflate: Fix potential buffer overflow
smatch says:
lib/zlib_inflate/inftrees.c:240 zlib_inflate_table() error:
buffer overflow 'count' 16 <= 16
The loop calculating the value for 'min', which is later used to access
count[], can indeed result in an index larger than ARRAY_SIZE(count)
if the array is filled with 0.
Fixes: 4f3865fb57a04 ("zlib_inflate: Upgrade library code to a recent version")
Signed-off-by: Guenter Roeck <linux@...ck-us.net>
---
lib/zlib_inflate/inftrees.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
index 3fe6ce5b53e5..028943052926 100644
--- a/lib/zlib_inflate/inftrees.c
+++ b/lib/zlib_inflate/inftrees.c
@@ -109,7 +109,7 @@ int zlib_inflate_table(codetype type, unsigned short *lens, unsigned codes,
*bits = 1;
return 0; /* no symbols, but wait for decoding to report error */
}
- for (min = 1; min <= MAXBITS; min++)
+ for (min = 1; min < MAXBITS; min++)
if (count[min] != 0) break;
if (root < min) root = min;
--
2.7.4
Powered by blists - more mailing lists