This checks the size of the output buffer and fails if it was going to
overflow the buffer during lzo decompression.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
lib/lzo/lzo1x_decompress.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c
index e6ff708..35f3793 100644
--- a/lib/lzo/lzo1x_decompress.c
+++ b/lib/lzo/lzo1x_decompress.c
@@ -68,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t
src_len,
unsigned char *start = dst;
const unsigned char *send = src + src_len;
u32 slen, dlen;
- size_t tmp;
+ size_t tmp, remaining;
int r;
src = parse_header(src);
if (!src)
return LZO_E_ERROR;
+ remaining = *dst_len;
while (src < send) {
/* read uncompressed block size */
dlen = get_unaligned_be32(src);
@@ -93,6 +94,10 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
if (slen <= 0 || slen > dlen)
return LZO_E_ERROR;
+ /* abort if buffer ran out of room */
+ if (dlen > remaining)
+ return LZO_E_OUTPUT_OVERRUN;
+
/* decompress */
tmp = dlen;
r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
@@ -105,6 +110,7 @@ int lzop_decompress(const unsigned char *src, size_t
src_len,
src += slen;
dst += dlen;
+ remaining -= dlen;
}
return LZO_E_INPUT_OVERRUN;
--
1.7.9.5
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
