From: Kees Cook Date: Fri, 16 Aug 2013 14:59:15 +0000 (-0700) Subject: lzo: correctly bounds-check output buffer X-Git-Tag: v2013.10-rc3~30 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=ff9d2efdbf1b3b5263f81e843c6724b8bead7f1f;p=u-boot lzo: correctly bounds-check output buffer This checks the size of the output buffer and fails if it was going to overflow the buffer during lzo decompression. Signed-off-by: Kees Cook Acked-by: Simon Glass --- diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c index e6ff708f11..35f3793f31 100644 --- a/lib/lzo/lzo1x_decompress.c +++ b/lib/lzo/lzo1x_decompress.c @@ -68,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t src_len, unsigned char *start = dst; const unsigned char *send = src + src_len; u32 slen, dlen; - size_t tmp; + size_t tmp, remaining; int r; src = parse_header(src); if (!src) return LZO_E_ERROR; + remaining = *dst_len; while (src < send) { /* read uncompressed block size */ dlen = get_unaligned_be32(src); @@ -93,6 +94,10 @@ int lzop_decompress(const unsigned char *src, size_t src_len, if (slen <= 0 || slen > dlen) return LZO_E_ERROR; + /* abort if buffer ran out of room */ + if (dlen > remaining) + return LZO_E_OUTPUT_OVERRUN; + /* decompress */ tmp = dlen; r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp); @@ -105,6 +110,7 @@ int lzop_decompress(const unsigned char *src, size_t src_len, src += slen; dst += dlen; + remaining -= dlen; } return LZO_E_INPUT_OVERRUN;