From: Lasse Collin <lasse.collin@tukaani.org>
Return value of rc->fill() is checked in rc_read() and error()
is called when needed, but then the code continues as if nothing
had happened.
rc_read() is a void function and it's on the top of performance
critical call stacks, so propagating the error code via return
values doesn't sound like the best fix. It seems better to check
rc->buffer_size (which holds the return value of rc->fill()) in
the main loop. It does nothing bad that the code runs a little
with unknown data after a failed rc->fill().
This fixes an infinite loop in initramfs decompression if the
LZMA-compressed initramfs image is corrupt.
Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
---
--- linux-2.6.37-rc3/lib/decompress_unlzma.c.orig 2010-11-23 11:07:28.000000000 +0200
+++ linux-2.6.37-rc3/lib/decompress_unlzma.c 2010-11-23 11:10:07.000000000 +0200
@@ -637,6 +637,8 @@ STATIC inline int INIT unlzma(unsigned c
if (cst.rep0 == 0)
break;
}
+ if (rc.buffer_size <= 0)
+ goto exit_3;
}
if (posp)
@@ -644,6 +646,7 @@ STATIC inline int INIT unlzma(unsigned c
if (wr.flush)
wr.flush(wr.buffer, wr.buffer_pos);
ret = 0;
+exit_3:
large_free(p);
exit_2:
if (!output)
--
