From 57d3da6fee1d4d8691a74d9b7bb5b7bc0d4e4e63 Mon Sep 17 00:00:00 2001
From: Sean Anderson <seanga2@gmail.com>
Date: Sat, 4 Nov 2023 16:37:43 -0400
Subject: [PATCH] spl: legacy: Honor bl_len when decompressing

When allocating a buffer to load compressed data into, we need to ensure we
have enough space for over- and under-flow due to alignment. Otherwise we
will clobber the malloc bookkeeping data. Calculate the correct amount of
overhead and use it when determining the size.

Signed-off-by: Sean Anderson <seanga2@gmail.com>
---
 common/spl/spl_legacy.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/common/spl/spl_legacy.c b/common/spl/spl_legacy.c
index 51656fb961..9189576b77 100644
--- a/common/spl/spl_legacy.c
+++ b/common/spl/spl_legacy.c
@@ -133,25 +133,31 @@ int spl_load_legacy_img(struct spl_image_info *spl_image,
 			   map_sysmem(spl_image->load_addr, spl_image->size));
 		break;
 
-	case IH_COMP_LZMA:
+	case IH_COMP_LZMA: {
+		ulong overhead, size;
+
 		lzma_len = LZMA_LEN;
 
 		/* dataptr points to compressed payload  */
-		dataptr = offset + sizeof(*hdr);
+		dataptr = ALIGN_DOWN(sizeof(*hdr), load->bl_len);
+		overhead = sizeof(*hdr) - dataptr;
+		size = ALIGN(spl_image->size + overhead, load->bl_len);
+		dataptr += offset;
 
 		debug("LZMA: Decompressing %08lx to %08lx\n",
 		      dataptr, spl_image->load_addr);
-		src = malloc(spl_image->size);
+		src = malloc(size);
 		if (!src) {
 			printf("Unable to allocate %d bytes for LZMA\n",
 			       spl_image->size);
 			return -ENOMEM;
 		}
 
-		load->read(load, dataptr, spl_image->size, src);
+		load->read(load, dataptr, size, src);
 		ret = lzmaBuffToBuffDecompress(map_sysmem(spl_image->load_addr,
 							  spl_image->size),
-					       &lzma_len, src, spl_image->size);
+					       &lzma_len, src + overhead,
+					       spl_image->size);
 		if (ret) {
 			printf("LZMA decompression error: %d\n", ret);
 			return ret;
@@ -159,7 +165,7 @@ int spl_load_legacy_img(struct spl_image_info *spl_image,
 
 		spl_image->size = lzma_len;
 		break;
-
+	}
 	default:
 		debug("Compression method %s is not supported\n",
 		      genimg_get_comp_short_name(image_get_comp(hdr)));
-- 
2.39.5