dany/u-boot-megous
1
0
Fork 0
mirror of https://xff.cz/git/u-boot/ synced 2025-09-24 12:02:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

lzo: correctly bounds-check output buffer

Browse Source 
This checks the size of the output buffer and fails if it was going to
overflow the buffer during lzo decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Kees Cook
2013-08-16 07:59:15 -07:00
committed by Simon Glass
parent afca294289
commit ff9d2efdbf
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/lzo/lzo1x_decompress.c
View File

@@ -68,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
unsigned char *start = dst; unsigned char *start = dst;
const unsigned char *send = src + src_len; const unsigned char *send = src + src_len;
u32 slen, dlen; u32 slen, dlen;
size_t tmp; size_t tmp, remaining;
int r; int r;
src = parse_header(src); src = parse_header(src);
if (!src) if (!src)
return LZO_E_ERROR; return LZO_E_ERROR;
remaining = *dst_len;
while (src < send) { while (src < send) {
/* read uncompressed block size */ /* read uncompressed block size */
dlen = get_unaligned_be32(src); dlen = get_unaligned_be32(src);
@@ -93,6 +94,10 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
if (slen <= 0 || slen > dlen) if (slen <= 0 || slen > dlen)
return LZO_E_ERROR; return LZO_E_ERROR;
/* abort if buffer ran out of room */
if (dlen > remaining)
return LZO_E_OUTPUT_OVERRUN;
/* decompress */ /* decompress */
tmp = dlen; tmp = dlen;
r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp); r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
@@ -105,6 +110,7 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
src += slen; src += slen;
dst += dlen; dst += dlen;
remaining -= dlen;
} }
return LZO_E_INPUT_OVERRUN; return LZO_E_INPUT_OVERRUN;