diff options
author | Frediano Ziglio <fziglio@redhat.com> | 2017-12-22 18:43:00 +0000 |
---|---|---|
committer | Frediano Ziglio <fziglio@redhat.com> | 2019-01-08 21:27:45 +0000 |
commit | 3050b4e1f6f39c1a9f8a286791d06705fce1ecb7 (patch) | |
tree | 32535cf7841017c17ba994de0c0bed852082fce7 | |
parent | 16aa8c98d89fdfc49b7aa58d60f1cd82c075cb1f (diff) |
lz: Avoid buffer reading overflow checking for image type
The type of the image is just copied from network without
any check and later used for array indexing.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
-rw-r--r-- | common/lz.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/common/lz.c b/common/lz.c index 87c13db..2c5d5e2 100644 --- a/common/lz.c +++ b/common/lz.c @@ -593,6 +593,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes, } encoder->type = (LzImageType)decode_32(encoder); + if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) { + encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type); + } encoder->width = decode_32(encoder); encoder->height = decode_32(encoder); encoder->stride = decode_32(encoder); |