From: Kees Cook Date: Fri, 16 Aug 2013 14:59:14 +0000 (-0700) Subject: lzma: correctly bounds-check output buffer X-Git-Tag: v2025.01-rc5-pxa1908~15936 X-Git-Url: http://git.dujemihanovic.xyz/img/sics.gif?a=commitdiff_plain;h=afca294289949b118a192b77be947379734ea620;p=u-boot.git lzma: correctly bounds-check output buffer The output buffer size must be correctly passed to the lzma decoder or there is a risk of overflowing memory during decompression. Switching to the LZMA_FINISH_END mode means nothing is left in an unknown state once the buffer becomes full. Signed-off-by: Kees Cook Acked-by: Simon Glass --- diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index 8d1165e11b..0aec2f9c76 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -97,15 +97,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, g_Alloc.Alloc = SzAlloc; g_Alloc.Free = SzFree; + /* Short-circuit early if we know the buffer can't hold the results. */ + if (outSizeFull != (SizeT)-1 && *uncompressedSize < outSizeFull) + return SZ_ERROR_OUTPUT_EOF; + /* Decompress */ - outProcessed = outSizeFull; + outProcessed = *uncompressedSize; WATCHDOG_RESET(); res = LzmaDecode( outStream, &outProcessed, inStream + LZMA_DATA_OFFSET, &compressedSize, - inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &state, &g_Alloc); + inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed; if (res != SZ_OK) { return res;