diff options
| author | Kees Cook <keescook@chromium.org> | 2013-08-16 07:59:14 -0700 |
|---|---|---|
| committer | Simon Glass <sjg@chromium.org> | 2013-09-03 13:30:21 -0600 |
| commit | afca294289949b118a192b77be947379734ea620 (patch) | |
| tree | d1f02ebb7651ce6172eb58d03521fb60fbb66cb8 | |
| parent | b75650d84d4b7892179ae183523011f6d898423d (diff) | |
| download | olio-uboot-2014.01-afca294289949b118a192b77be947379734ea620.tar.xz olio-uboot-2014.01-afca294289949b118a192b77be947379734ea620.zip | |
lzma: correctly bounds-check output buffer
The output buffer size must be correctly passed to the lzma decoder or
there is a risk of overflowing memory during decompression. Switching
to the LZMA_FINISH_END mode means nothing is left in an unknown state
once the buffer becomes full.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
| -rw-r--r-- | lib/lzma/LzmaTools.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index 8d1165e11b..0aec2f9c7 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -97,15 +97,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, g_Alloc.Alloc = SzAlloc; g_Alloc.Free = SzFree; + /* Short-circuit early if we know the buffer can't hold the results. */ + if (outSizeFull != (SizeT)-1 && *uncompressedSize < outSizeFull) + return SZ_ERROR_OUTPUT_EOF; + /* Decompress */ - outProcessed = outSizeFull; + outProcessed = *uncompressedSize; WATCHDOG_RESET(); res = LzmaDecode( outStream, &outProcessed, inStream + LZMA_DATA_OFFSET, &compressedSize, - inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &state, &g_Alloc); + inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed; if (res != SZ_OK) { return res; |