summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorSimon Glass <sjg@chromium.org>2014-12-02 13:17:29 -0700
committerTom Rini <trini@ti.com>2015-01-14 11:35:43 -0500
commitf6eec89fa30009aabac081158e36364dc025a3a4 (patch)
treea37c863b7426f302638db92fa06879a12281be0c /lib
parent95099fee404024d3f150827da755b7b487be5ba8 (diff)
lzma: fix buffer bound check error further
Commit 4d3b8a0d fixed a problem with lzma decompress where it would run out of bytes to decompress. The algorithm needs to know how many uncompressed bytes it is expected to produce. However, the fix introduced a potential buffer overrun, and causes the compression test to fail (test_compression command in sandbox). The correct fix seems to be to use the minimum of the expected number of uncompressed bytes and the amount of output space available. That way things work normally when there is enough space, and return an error (without overrunning available space) when there is not. Signed-off-by: Antonios Vamporakis <ant@area128.com> CC: Kees Cook <keescook@chromium.org> CC: Simon Glass <sjg@chromium.org> CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com> CC: Luka Perkov <luka@openwrt.org> Signed-off-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'lib')
-rw-r--r--lib/lzma/LzmaTools.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
index cfc7cb02f78..f88629b74f3 100644
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
return SZ_ERROR_OUTPUT_EOF;
/* Decompress */
- outProcessed = outSizeFull;
+ outProcessed = min(outSizeFull, *uncompressedSize);
WATCHDOG_RESET();
@@ -112,7 +112,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
*uncompressedSize = outProcessed;
- debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
+ debug("LZMA: Uncompressed ............... 0x%zx\n", outProcessed);
if (res != SZ_OK) {
return res;