X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=fs%2Fisofs%2Frock.c;h=8bdd3e409543bf0febb4fd837d323562c412eccb;hb=6a77f38946aaee1cd85eeec6cf4229b204c15071;hp=19d999fd450c2c7892e5ef00045482f889fbf5c1;hpb=87fc8d1bb10cd459024a742c6a10961fefcef18f;p=linux-2.6.git diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 19d999fd4..8bdd3e409 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -53,6 +53,7 @@ if(LEN & 1) LEN++; \ CHR = ((unsigned char *) DE) + LEN; \ LEN = *((unsigned char *) DE) - LEN; \ + if (LEN<0) LEN=0; \ if (ISOFS_SB(inode->i_sb)->s_rock_offset!=-1) \ { \ LEN-=ISOFS_SB(inode->i_sb)->s_rock_offset; \ @@ -73,6 +74,10 @@ offset1 = 0; \ pbh = sb_bread(DEV->i_sb, block); \ if(pbh){ \ + if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \ + brelse(pbh); \ + goto out; \ + } \ memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \ brelse(pbh); \ chr = (unsigned char *) buffer; \ @@ -103,12 +108,13 @@ int get_rock_ridge_filename(struct iso_directory_record * de, struct rock_ridge * rr; int sig; - while (len > 1){ /* There may be one byte for padding somewhere */ + while (len > 2){ /* There may be one byte for padding somewhere */ rr = (struct rock_ridge *) chr; - if (rr->len == 0) goto out; /* Something got screwed up here */ + if (rr->len < 3) goto out; /* Something got screwed up here */ sig = isonum_721(chr); chr += rr->len; len -= rr->len; + if (len < 0) goto out; /* corrupted isofs */ switch(sig){ case SIG('R','R'): @@ -122,6 +128,7 @@ int get_rock_ridge_filename(struct iso_directory_record * de, break; case SIG('N','M'): if (truncate) break; + if (rr->len < 5) break; /* * If the flags are 2 or 4, this indicates '.' or '..'. * We don't want to do anything with this, because it @@ -186,12 +193,13 @@ parse_rock_ridge_inode_internal(struct iso_directory_record *de, struct rock_ridge * rr; int rootflag; - while (len > 1){ /* There may be one byte for padding somewhere */ + while (len > 2){ /* There may be one byte for padding somewhere */ rr = (struct rock_ridge *) chr; - if (rr->len == 0) goto out; /* Something got screwed up here */ + if (rr->len < 3) goto out; /* Something got screwed up here */ sig = isonum_721(chr); chr += rr->len; len -= rr->len; + if (len < 0) goto out; /* corrupted isofs */ switch(sig){ #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */ @@ -462,7 +470,7 @@ static int rock_ridge_symlink_readpage(struct file *file, struct page *page) struct rock_ridge *rr; if (!ISOFS_SB(inode->i_sb)->s_rock) - panic ("Cannot have symlink with high sierra variant of iso filesystem\n"); + goto error; block = ei->i_iget5_block; lock_kernel(); @@ -487,13 +495,15 @@ static int rock_ridge_symlink_readpage(struct file *file, struct page *page) SETUP_ROCK_RIDGE(raw_inode, chr, len); repeat: - while (len > 1) { /* There may be one byte for padding somewhere */ + while (len > 2) { /* There may be one byte for padding somewhere */ rr = (struct rock_ridge *) chr; - if (rr->len == 0) + if (rr->len < 3) goto out; /* Something got screwed up here */ sig = isonum_721(chr); chr += rr->len; len -= rr->len; + if (len < 0) + goto out; /* corrupted isofs */ switch (sig) { case SIG('R', 'R'): @@ -543,6 +553,7 @@ static int rock_ridge_symlink_readpage(struct file *file, struct page *page) fail: brelse(bh); unlock_kernel(); + error: SetPageError(page); kunmap(page); unlock_page(page);