Fix zle_decompress out of bound access

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: loli10K <ezomori.nozomu@gmail.com>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7099

diff --git a/module/zfs/zle.c b/module/zfs/zle.c
index 13c5673fbe2671ab597600e0828a5356aba3a656..613607faaa97e99e187cb9f0f5bb04a320f769b4 100644 (file)
--- a/module/zfs/zle.c
+++ b/module/zfs/zle.c
@@ -74,10 +74,14 @@ zle_decompress(void *s_start, void *d_start, size_t s_len, size_t d_len, int n)
        while (src < s_end && dst < d_end) {
                int len = 1 + *src++;
                if (len <= n) {
+                       if (src + len > s_end || dst + len > d_end)
+                               return (-1);
                        while (len-- != 0)
                                *dst++ = *src++;
                } else {
                        len -= n;
+                       if (dst + len > d_end)
+                               return (-1);
                        while (len-- != 0)
                                *dst++ = 0;
                }