X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=lib%2Flzo%2Flzo1x_decompress.c;h=ebdf10b988de5964bb7769f2433ab91d8d99bffa;hb=ba1a10796316a5b81c1c91663148fc7da5843e3a;hp=09bdc8f6ca00324f8b7ec331da7ca58709e42bb9;hpb=83653121d7382fccfe329cb732f77f116341ef1d;p=u-boot

diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c
index 09bdc8f6ca..ebdf10b988 100644
--- a/lib/lzo/lzo1x_decompress.c
+++ b/lib/lzo/lzo1x_decompress.c
@@ -32,7 +32,6 @@ static const unsigned char lzop_magic[] = {
 
 static inline const unsigned char *parse_header(const unsigned char *src)
 {
-	u8 level = 0;
 	u16 version;
 	int i;
 
@@ -47,7 +46,7 @@ static inline const unsigned char *parse_header(const unsigned char *src)
 	version = get_unaligned_be16(src);
 	src += 7;
 	if (version >= 0x0940)
-		level = *src++;
+		src++;
 	if (get_unaligned_be32(src) & HEADER_HAS_FILTER)
 		src += 4; /* filter info */
 
@@ -69,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
 	unsigned char *start = dst;
 	const unsigned char *send = src + src_len;
 	u32 slen, dlen;
-	size_t tmp;
+	size_t tmp, remaining;
 	int r;
 
 	src = parse_header(src);
 	if (!src)
 		return LZO_E_ERROR;
 
+	remaining = *dst_len;
 	while (src < send) {
 		/* read uncompressed block size */
 		dlen = get_unaligned_be32(src);
@@ -94,18 +94,25 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
 		if (slen <= 0 || slen > dlen)
 			return LZO_E_ERROR;
 
+		/* abort if buffer ran out of room */
+		if (dlen > remaining)
+			return LZO_E_OUTPUT_OVERRUN;
+
 		/* decompress */
 		tmp = dlen;
 		r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
 
-		if (r != LZO_E_OK)
+		if (r != LZO_E_OK) {
+			*dst_len = dst - start;
 			return r;
+		}
 
 		if (dlen != tmp)
 			return LZO_E_ERROR;
 
 		src += slen;
 		dst += dlen;
+		remaining -= dlen;
 	}
 
 	return LZO_E_INPUT_OVERRUN;