lib: zlib_inflage: fixed potential buffer overflow

smatch error from arm build: arch/arm/boot/compressed/../../../../lib/zlib_inflate/inftrees.c:240 zlib_inflate_table() error: buffer overflow 'count' 16 <= 16 Because min is later assigned to len in zlib_inflate_table, by switching the tests around, min always stays in bounds. BUG=chromium:237705 TEST=FEATURES=test emerge-$B chromeos-kernel-next Signed-off-by: Paul Taysom <taysom@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/59426 Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
author: Paul Taysom <taysom@chromium.org> 2013-06-20 07:28:45 -0700
committer: Mister Oyster <oysterized@gmail.com> 2017-04-11 10:57:13 +0200
commit: 3852eb8985f994c0013643893121080a8adf816c (patch)
tree: e34b0b6e5df5a5ae0b924b093d7a84fd8a1adff3 /lib/zlib_inflate
parent: 808470257ec4db6bf061a7db98d961db891d637b (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
index 3fe6ce5b5..ac732ae72 100644
--- a/lib/zlib_inflate/inftrees.c
+++ b/lib/zlib_inflate/inftrees.c
@@ -109,8 +109,9 @@ int zlib_inflate_table(codetype type, unsigned short *lens, unsigned codes,
         *bits = 1;
         return 0;     /* no symbols, but wait for decoding to report error */
     }
-    for (min = 1; min <= MAXBITS; min++)
-        if (count[min] != 0) break;
+    /* Because min is used for len, must be in bounds of count */
+    for (min = 1; count[min] == 0; min++)
+        if (min == MAXBITS) break;
     if (root < min) root = min;
 
     /* check for an over-subscribed or incomplete set of lengths */
author	Paul Taysom <taysom@chromium.org>	2013-06-20 07:28:45 -0700
committer	Mister Oyster <oysterized@gmail.com>	2017-04-11 10:57:13 +0200
commit	3852eb8985f994c0013643893121080a8adf816c (patch)
tree	e34b0b6e5df5a5ae0b924b093d7a84fd8a1adff3 /lib/zlib_inflate
parent	808470257ec4db6bf061a7db98d961db891d637b (diff)