[U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer
The output buffer size must be correctly passed to the lzma decoder or
there is a risk of overflowing memory during decompression. Switching
to the LZMA_FINISH_END mode means nothing is left in an unknown state
once the buffer becomes full.
Signed-off-by: Kees Cook keesc...@chromium.org
Acked-by: Simon Glass s...@chromium.org
---
lib/lzma/LzmaTools.c |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
index 8d1165e11b..0aec2f9 100644
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -97,15 +97,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream,
SizeT *uncompressedSize,
g_Alloc.Alloc = SzAlloc;
g_Alloc.Free = SzFree;
+/* Short-circuit early if we know the buffer can't hold the results. */
+if (outSizeFull != (SizeT)-1 *uncompressedSize outSizeFull)
+return SZ_ERROR_OUTPUT_EOF;
+
/* Decompress */
-outProcessed = outSizeFull;
+outProcessed = *uncompressedSize;
WATCHDOG_RESET();
res = LzmaDecode(
outStream, outProcessed,
inStream + LZMA_DATA_OFFSET, compressedSize,
-inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, state, g_Alloc);
+inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, state, g_Alloc);
*uncompressedSize = outProcessed;
if (res != SZ_OK) {
return res;
--
1.7.9.5
___
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer
On Mon, Aug 12, 2013 at 5:02 PM, Kees Cook keesc...@chromium.org wrote: The output buffer size must be correctly passed to the lzma decoder or there is a risk of overflowing memory during decompression. Switching to the LZMA_FINISH_END mode means nothing is left in an unknown state once the buffer becomes full. Signed-off-by: Kees Cook keesc...@chromium.org Acked-by: Simon Glass s...@chromium.org ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
[U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer
The output buffer size must be correctly passed to the lzma decoder or
there is a risk of overflowing memory during decompression. Switching
to the LZMA_FINISH_END mode means nothing is left in an unknown state
once the buffer becomes full.
Signed-off-by: Kees Cook keesc...@chromium.org
---
lib/lzma/LzmaTools.c |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
index 28a8aef..2459fbe 100644
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -113,15 +113,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream,
SizeT *uncompressedSize,
g_Alloc.Alloc = SzAlloc;
g_Alloc.Free = SzFree;
+/* Short-circuit early if we know the buffer can't hold the results. */
+if (outSizeFull != (SizeT)-1 *uncompressedSize outSizeFull)
+return SZ_ERROR_OUTPUT_EOF;
+
/* Decompress */
-outProcessed = outSizeFull;
+outProcessed = *uncompressedSize;
WATCHDOG_RESET();
res = LzmaDecode(
outStream, outProcessed,
inStream + LZMA_DATA_OFFSET, compressedSize,
-inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, state, g_Alloc);
+inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, state, g_Alloc);
*uncompressedSize = outProcessed;
if (res != SZ_OK) {
return res;
--
1.7.9.5
___
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
