From ba3d827e29e3ec2e9ef97c3adc6aa50948947280 Mon Sep 17 00:00:00 2001 From: Chunwei Chen Date: Thu, 1 Feb 2018 15:41:05 -0800 Subject: [PATCH] Fix zle_decompress out of bound access Reviewed-by: Brian Behlendorf Reviewed-by: loli10K Signed-off-by: Chunwei Chen Closes #7099 --- module/zfs/zle.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/module/zfs/zle.c b/module/zfs/zle.c index 13c5673fbe26..613607faaa97 100644 --- a/module/zfs/zle.c +++ b/module/zfs/zle.c @@ -74,10 +74,14 @@ zle_decompress(void *s_start, void *d_start, size_t s_len, size_t d_len, int n) while (src < s_end && dst < d_end) { int len = 1 + *src++; if (len <= n) { + if (src + len > s_end || dst + len > d_end) + return (-1); while (len-- != 0) *dst++ = *src++; } else { len -= n; + if (dst + len > d_end) + return (-1); while (len-- != 0) *dst++ = 0; }