Commit afca294289949b118a192b77be947379734ea620
Committed by
Simon Glass
1 parent
b75650d84d
Exists in
master
and in
53 other branches
lzma: correctly bounds-check output buffer
The output buffer size must be correctly passed to the lzma decoder or there is a risk of overflowing memory during decompression. Switching to the LZMA_FINISH_END mode means nothing is left in an unknown state once the buffer becomes full. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
Showing 1 changed file with 6 additions and 2 deletions Side-by-side Diff
lib/lzma/LzmaTools.c
... | ... | @@ -97,15 +97,19 @@ |
97 | 97 | g_Alloc.Alloc = SzAlloc; |
98 | 98 | g_Alloc.Free = SzFree; |
99 | 99 | |
100 | + /* Short-circuit early if we know the buffer can't hold the results. */ | |
101 | + if (outSizeFull != (SizeT)-1 && *uncompressedSize < outSizeFull) | |
102 | + return SZ_ERROR_OUTPUT_EOF; | |
103 | + | |
100 | 104 | /* Decompress */ |
101 | - outProcessed = outSizeFull; | |
105 | + outProcessed = *uncompressedSize; | |
102 | 106 | |
103 | 107 | WATCHDOG_RESET(); |
104 | 108 | |
105 | 109 | res = LzmaDecode( |
106 | 110 | outStream, &outProcessed, |
107 | 111 | inStream + LZMA_DATA_OFFSET, &compressedSize, |
108 | - inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &state, &g_Alloc); | |
112 | + inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); | |
109 | 113 | *uncompressedSize = outProcessed; |
110 | 114 | if (res != SZ_OK) { |
111 | 115 | return res; |