From: Sean Anderson Date: Sat, 4 Nov 2023 20:37:43 +0000 (-0400) Subject: spl: legacy: Honor bl_len when decompressing X-Git-Tag: v2025.01-rc5-pxa1908~582^2~31^2~10 X-Git-Url: http://git.dujemihanovic.xyz/html/static/%7B%7B%20%28.OutputFormats.Get?a=commitdiff_plain;h=57d3da6fee1d4d8691a74d9b7bb5b7bc0d4e4e63;p=u-boot.git spl: legacy: Honor bl_len when decompressing When allocating a buffer to load compressed data into, we need to ensure we have enough space for over- and under-flow due to alignment. Otherwise we will clobber the malloc bookkeeping data. Calculate the correct amount of overhead and use it when determining the size. Signed-off-by: Sean Anderson --- diff --git a/common/spl/spl_legacy.c b/common/spl/spl_legacy.c index 51656fb961..9189576b77 100644 --- a/common/spl/spl_legacy.c +++ b/common/spl/spl_legacy.c @@ -133,25 +133,31 @@ int spl_load_legacy_img(struct spl_image_info *spl_image, map_sysmem(spl_image->load_addr, spl_image->size)); break; - case IH_COMP_LZMA: + case IH_COMP_LZMA: { + ulong overhead, size; + lzma_len = LZMA_LEN; /* dataptr points to compressed payload */ - dataptr = offset + sizeof(*hdr); + dataptr = ALIGN_DOWN(sizeof(*hdr), load->bl_len); + overhead = sizeof(*hdr) - dataptr; + size = ALIGN(spl_image->size + overhead, load->bl_len); + dataptr += offset; debug("LZMA: Decompressing %08lx to %08lx\n", dataptr, spl_image->load_addr); - src = malloc(spl_image->size); + src = malloc(size); if (!src) { printf("Unable to allocate %d bytes for LZMA\n", spl_image->size); return -ENOMEM; } - load->read(load, dataptr, spl_image->size, src); + load->read(load, dataptr, size, src); ret = lzmaBuffToBuffDecompress(map_sysmem(spl_image->load_addr, spl_image->size), - &lzma_len, src, spl_image->size); + &lzma_len, src + overhead, + spl_image->size); if (ret) { printf("LZMA decompression error: %d\n", ret); return ret; @@ -159,7 +165,7 @@ int spl_load_legacy_img(struct spl_image_info *spl_image, spl_image->size = lzma_len; break; - + } default: debug("Compression method %s is not supported\n", genimg_get_comp_short_name(image_get_comp(hdr)));