Commit b75650d84d4b7892179ae183523011f6d898423d
gzip: correctly bounds-check output buffer
The output buffer size must not be reset by the gzip decoder or there is a risk of overflowing memory during decompression. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff
... | ... | @@ -89,13 +89,13 @@ |
89 | 89 | s.avail_out = dstlen; |
90 | 90 | do { |
91 | 91 | r = inflate(&s, Z_FINISH); |
92 | - if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) { | |
92 | + if (stoponerr == 1 && r != Z_STREAM_END && | |
93 | + (s.avail_out == 0 || r != Z_BUF_ERROR)) { | |
93 | 94 | printf("Error: inflate() returned %d\n", r); |
94 | 95 | inflateEnd(&s); |
95 | 96 | return -1; |
96 | 97 | } |
97 | 98 | s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst); |
98 | - s.avail_out = dstlen; | |
99 | 99 | } while (r == Z_BUF_ERROR); |
100 | 100 | *lenp = s.next_out - (unsigned char *) dst; |
101 | 101 | inflateEnd(&s); |
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466
-
mentioned in commit 193466