LM
/
u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lzma: correctly bounds-check output buffer 

The output buffer size must be correctly passed to the lzma decoder or
there is a risk of overflowing memory during decompression. Switching
to the LZMA_FINISH_END mode means nothing is left in an unknown state
once the buffer becomes full.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Kees Cook 2013-08-16 07:59:14 -07:00 committed by Simon Glass
parent b75650d84d
commit afca294289
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/lzma/LzmaTools.c
View File

@ -97,15 +97,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
g_Alloc.Alloc = SzAlloc; g_Alloc.Alloc = SzAlloc;
g_Alloc.Free = SzFree; g_Alloc.Free = SzFree;
/* Short-circuit early if we know the buffer can't hold the results. */
if (outSizeFull != (SizeT)-1 && *uncompressedSize < outSizeFull)
return SZ_ERROR_OUTPUT_EOF;
/* Decompress */ /* Decompress */
outProcessed = outSizeFull; outProcessed = *uncompressedSize;
WATCHDOG_RESET(); WATCHDOG_RESET();
res = LzmaDecode( res = LzmaDecode(
outStream, &outProcessed, outStream, &outProcessed,
inStream + LZMA_DATA_OFFSET, &compressedSize, inStream + LZMA_DATA_OFFSET, &compressedSize,
inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &state, &g_Alloc); inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
*uncompressedSize = outProcessed; *uncompressedSize = outProcessed;
if (res != SZ_OK) { if (res != SZ_OK) {
return res; return res;