[PATCH] zlib inflate: Fix potential buffer overflow
From: Guenter Roeck
Date: Mon Apr 03 2017 - 12:14:26 EST
smatch says:
lib/zlib_inflate/inftrees.c:240 zlib_inflate_table() error:
buffer overflow 'count' 16 <= 16
The loop calculating the value for 'min', which is later used to access
count[], can indeed result in an index larger than ARRAY_SIZE(count)
if the array is filled with 0.
Fixes: 4f3865fb57a04 ("zlib_inflate: Upgrade library code to a recent version")
Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
---
lib/zlib_inflate/inftrees.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
index 3fe6ce5b53e5..028943052926 100644
--- a/lib/zlib_inflate/inftrees.c
+++ b/lib/zlib_inflate/inftrees.c
@@ -109,7 +109,7 @@ int zlib_inflate_table(codetype type, unsigned short *lens, unsigned codes,
*bits = 1;
return 0; /* no symbols, but wait for decoding to report error */
}
- for (min = 1; min <= MAXBITS; min++)
+ for (min = 1; min < MAXBITS; min++)
if (count[min] != 0) break;
if (root < min) root = min;
--
2.7.4