From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chunwei Chen <david.chen@nutanix.com>
Date: Thu, 1 Feb 2018 15:41:05 -0800
Subject: [PATCH] Fix zle_decompress out of bound access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: loli10K <ezomori.nozomu@gmail.com>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7099
(cherry picked from commit 5e566c57726226ceeca09b1eb19cb1c373622763)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 module/zfs/zle.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/module/zfs/zle.c b/module/zfs/zle.c
index 13c5673fb..613607faa 100644
--- a/module/zfs/zle.c
+++ b/module/zfs/zle.c
@@ -74,10 +74,14 @@ zle_decompress(void *s_start, void *d_start, size_t s_len, size_t d_len, int n)
 	while (src < s_end && dst < d_end) {
 		int len = 1 + *src++;
 		if (len <= n) {
+			if (src + len > s_end || dst + len > d_end)
+				return (-1);
 			while (len-- != 0)
 				*dst++ = *src++;
 		} else {
 			len -= n;
+			if (dst + len > d_end)
+				return (-1);
 			while (len-- != 0)
 				*dst++ = 0;
 		}
-- 
2.14.2