From: Antonios Vamporakis Date: Tue, 31 Dec 2013 01:57:01 +0000 (+0100) Subject: lzma: fix buffer bound check error X-Git-Tag: v2025.01-rc5-pxa1908~15479^2~79 X-Git-Url: http://git.dujemihanovic.xyz/html/static/%7B%7B%20%24.Site.BaseURL%20%7D%7Dposts/index.xml?a=commitdiff_plain;h=4d3b8a0d1b8665c190d502744e753ba05a047810;p=u-boot.git lzma: fix buffer bound check error Variable uncompressedSize references the space available, while outSizeFull is the actual expected uncompressed size. Using the wrong value causes LzmaDecode to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While at it add additional debug message. Signed-off-by: Antonios Vamporakis CC: Kees Cook CC: Simon Glass CC: Daniel Schwierzeck CC: Luka Perkov --- diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index 0aec2f9c76..90d31cdcf8 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, return SZ_ERROR_OUTPUT_EOF; /* Decompress */ - outProcessed = *uncompressedSize; + outProcessed = outSizeFull; WATCHDOG_RESET(); @@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, inStream + LZMA_DATA_OFFSET, &compressedSize, inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed; + + debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed); + if (res != SZ_OK) { return res; }