lz4: fix another possible overrun

[cascardo/linux.git] / lib / lz4 / lz4_decompress.c

diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 99a03ac..b74da44 100644 (file)
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -108,6 +108,8 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
                if (length == ML_MASK) {
                        for (; *ip == 255; length += 255)
                                ip++;
+                       if (unlikely(length > (size_t)(length + *ip)))
+                               goto _output_error;
                        length += *ip++;
                }
 
@@ -157,7 +159,7 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
 
        /* write overflow error detected */
 _output_error:
-       return (int) (-(((char *)ip) - source));
+       return -1;
 }
 
 static int lz4_uncompress_unknownoutputsize(const char *source, char *dest,