On Feb 13, 2008 11:00 AM, Myles Watson <[EMAIL PROTECTED]> wrote:
>
> On Feb 13, 2008 10:59 AM, Myles Watson <[EMAIL PROTECTED]> wrote:
> > This patch adds dst_len for the lar uncompress functions, enabling
> > buffer overflow checks. It exits with an error instead of
> > overflowing.
> >
> > Myles
> >
> > Signed-off-by: Myles Watson <[EMAIL PROTECTED]>
> >
> One more time with the patch.
>
Updated patch. I messed up one of the error messages the first time.
Signed-off-by: Myles Watson <[EMAIL PROTECTED]>
Index: util/lzma/minilzma.cc
===================================================================
--- util/lzma/minilzma.cc (revision 592)
+++ util/lzma/minilzma.cc (working copy)
@@ -280,18 +280,24 @@
#else
extern "C" {
-void do_lzma_compress(char *in, int in_len, char *out,
- int *out_len) {
+void do_lzma_compress(char *in, int in_len, char *out, int *out_len) {
std::vector<unsigned char> result;
result = LZMACompress(std::vector<unsigned char>(in, in + in_len));
*out_len = result.size();
std::memcpy(out, &result[0], *out_len);
}
-void do_lzma_uncompress(char *dst, char *src, int len) {
+void do_lzma_uncompress(char *dst, int dst_len, char *src, int src_len) {
std::vector<unsigned char> result;
- result = LZMADeCompress(std::vector<unsigned char>(src, src + len));
- std::memcpy(dst, &result[0], result.size());
+ result = LZMADeCompress(std::vector<unsigned char>(src, src + src_len));
+ if (result.size() <= dst_len)
+ std::memcpy(dst, &result[0], result.size());
+ else
+ {
+ fprintf(stderr, "Not copying %d bytes to %d-byte buffer!\n",
+ result.size(), dst_len);
+ exit(1);
+ }
}
}
Index: util/nrv2b/nrv2b.c
===================================================================
--- util/nrv2b/nrv2b.c (revision 592)
+++ util/nrv2b/nrv2b.c (working copy)
@@ -1338,16 +1338,16 @@
#error "Bad Combination of ENDIAN and BITSIZE values specified"
#endif
-#undef SAFE
+#define SAFE
#ifdef SAFE
-#define FAIL(x,r) if (x) { Error(r); }
+#define FAIL(x,r) if (x) { fprintf(stderr,r); exit(1); }
#else
#define FAIL(x,r)
#endif
#ifdef COMPACT
-void do_nrv2b_uncompress(uint8_t *dst, uint8_t *src, int len) {
+void do_nrv2b_uncompress(uint8_t *dst, int dst_len, uint8_t *src, int src_len) {
unsigned long ilen = 0, olen = 0, last_m_off = 1;
uint32_t bb = 0;
unsigned bc = 0;
Index: util/lar/lar.h
===================================================================
--- util/lar/lar.h (revision 592)
+++ util/lar/lar.h (working copy)
@@ -94,17 +94,17 @@
enum compalgo { none = 0, lzma = 1, nrv2b = 2 };
typedef void (*compress_func) (char *, int, char *, int *);
-typedef void (*uncompress_func) (char *, char *, int);
+typedef void (*uncompress_func) (char *, int, char *, int);
void compress_impossible(char *in, int in_len, char *out, int *out_len);
void do_no_compress(char *in, int in_len, char *out, int *out_len);
void do_lzma_compress(char *in, int in_len, char *out, int *out_len);
void do_nrv2b_compress(char *in, int in_len, char *out, int *out_len);
-void uncompress_impossible(char *, char *, int);
-void do_no_uncompress(char *, char *, int);
-void do_lzma_uncompress(char *, char *, int);
-void do_nrv2b_uncompress(char *, char *, int);
+void uncompress_impossible(char *dst, int dst_len, char *src, int src_len);
+void do_no_uncompress(char *dst, int dst_len, char *src, int src_len);
+void do_lzma_uncompress(char *dst, int dst_len, char *src, int src_len);
+void do_nrv2b_uncompress(char *dst, int dst_len, char *src, int src_len);
static compress_func compress_functions[] = {
do_no_compress,
Index: util/lar/lib.c
===================================================================
--- util/lar/lib.c (revision 592)
+++ util/lar/lib.c (working copy)
@@ -60,15 +60,22 @@
* The default "uncompress" hook to call when no other compression is used
*/
-void do_no_uncompress(char *dst, char *src, int len)
+void do_no_uncompress(char *dst, int dst_len, char *src, int src_len)
{
- memcpy(dst, src, len);
+ if (dst_len == src_len)
+ memcpy(dst, src, dst_len);
+ else
+ {
+ fprintf(stderr,"%s: src_len(%d)!=dst_len(%d)\n",
+ __FUNCTION__,src_len,dst_len);
+ exit(1);
+ }
}
/**
* The default "uncompress" hook to call when no other compression is used
*/
-void uncompress_impossible(char *dst, char *src, int len)
+void uncompress_impossible(char *dst, int dst_len, char *src, int src_len)
{
fprintf(stderr,
"Cannot uncompress data (algorithm not compiled in).\n");
Index: util/lar/stream.c
===================================================================
--- util/lar/stream.c (revision 592)
+++ util/lar/stream.c (working copy)
@@ -685,6 +685,7 @@
uncompress_functions[ntohl(header->compression)](
(char*) buf,
+ ntohl(header->reallen),
(char *) ptr + ntohl(header->offset),
ntohl(header->len));
--
coreboot mailing list
[email protected]
http://www.coreboot.org/mailman/listinfo/coreboot
