[U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer
The output buffer size must be correctly passed to the lzma decoder or there is a risk of overflowing memory during decompression. Switching to the LZMA_FINISH_END mode means nothing is left in an unknown state once the buffer becomes full. Signed-off-by: Kees Cook keesc...@chromium.org Acked-by: Simon Glass s...@chromium.org --- lib/lzma/LzmaTools.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index 8d1165e11b..0aec2f9 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -97,15 +97,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, g_Alloc.Alloc = SzAlloc; g_Alloc.Free = SzFree; +/* Short-circuit early if we know the buffer can't hold the results. */ +if (outSizeFull != (SizeT)-1 *uncompressedSize outSizeFull) +return SZ_ERROR_OUTPUT_EOF; + /* Decompress */ -outProcessed = outSizeFull; +outProcessed = *uncompressedSize; WATCHDOG_RESET(); res = LzmaDecode( outStream, outProcessed, inStream + LZMA_DATA_OFFSET, compressedSize, -inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, state, g_Alloc); +inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, state, g_Alloc); *uncompressedSize = outProcessed; if (res != SZ_OK) { return res; -- 1.7.9.5 ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer
On Mon, Aug 12, 2013 at 5:02 PM, Kees Cook keesc...@chromium.org wrote: The output buffer size must be correctly passed to the lzma decoder or there is a risk of overflowing memory during decompression. Switching to the LZMA_FINISH_END mode means nothing is left in an unknown state once the buffer becomes full. Signed-off-by: Kees Cook keesc...@chromium.org Acked-by: Simon Glass s...@chromium.org ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
[U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer
The output buffer size must be correctly passed to the lzma decoder or there is a risk of overflowing memory during decompression. Switching to the LZMA_FINISH_END mode means nothing is left in an unknown state once the buffer becomes full. Signed-off-by: Kees Cook keesc...@chromium.org --- lib/lzma/LzmaTools.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index 28a8aef..2459fbe 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -113,15 +113,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, g_Alloc.Alloc = SzAlloc; g_Alloc.Free = SzFree; +/* Short-circuit early if we know the buffer can't hold the results. */ +if (outSizeFull != (SizeT)-1 *uncompressedSize outSizeFull) +return SZ_ERROR_OUTPUT_EOF; + /* Decompress */ -outProcessed = outSizeFull; +outProcessed = *uncompressedSize; WATCHDOG_RESET(); res = LzmaDecode( outStream, outProcessed, inStream + LZMA_DATA_OFFSET, compressedSize, -inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, state, g_Alloc); +inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, state, g_Alloc); *uncompressedSize = outProcessed; if (res != SZ_OK) { return res; -- 1.7.9.5 ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot