From: Simon Glass Date: Tue, 2 Dec 2014 20:17:29 +0000 (-0700) Subject: lzma: fix buffer bound check error further X-Git-Tag: v2015.04-rc1~107 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f6eec89fa30009aabac081158e36364dc025a3a4;p=u-boot lzma: fix buffer bound check error further Commit 4d3b8a0d fixed a problem with lzma decompress where it would run out of bytes to decompress. The algorithm needs to know how many uncompressed bytes it is expected to produce. However, the fix introduced a potential buffer overrun, and causes the compression test to fail (test_compression command in sandbox). The correct fix seems to be to use the minimum of the expected number of uncompressed bytes and the amount of output space available. That way things work normally when there is enough space, and return an error (without overrunning available space) when there is not. Signed-off-by: Antonios Vamporakis CC: Kees Cook CC: Simon Glass CC: Daniel Schwierzeck CC: Luka Perkov Signed-off-by: Simon Glass --- diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index cfc7cb02f7..f88629b74f 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, return SZ_ERROR_OUTPUT_EOF; /* Decompress */ - outProcessed = outSizeFull; + outProcessed = min(outSizeFull, *uncompressedSize); WATCHDOG_RESET(); @@ -112,7 +112,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed; - debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed); + debug("LZMA: Uncompressed ............... 0x%zx\n", outProcessed); if (res != SZ_OK) { return res;