Eric Lee / smarc-uboot

34
Download as
Browse Code ยป

Commit b75650d84d4b7892179ae183523011f6d898423d

Authored by Kees Cook
Committed by Simon Glass
1 parent 8ef7047845
Exists in master and in 53 other branches 8qm-imx_v2020.04_5.4.70_2.3.0, emb_lf_v2022.04, imx_v2015.04_4.1.15_1.0.0_ga, pitx_8mp_lf_v2020.04, smarc-8m-android-10.0.0_2.6.0, smarc-8m-android-11.0.0_2.0.0, smarc-8mp-android-11.0.0_2.0.0, smarc-emmc-imx_v2014.04_3.10.53_1.1.0_ga, smarc-emmc-imx_v2014.04_3.14.28_1.0.0_ga, smarc-imx-l5.0.0_1.0.0-ga, smarc-imx6_v2018.03_4.14.98_2.0.0_ga, smarc-imx7_v2017.03_4.9.11_1.0.0_ga, smarc-imx7_v2018.03_4.14.98_2.0.0_ga, smarc-imx_v2014.04_3.14.28_1.0.0_ga, smarc-imx_v2015.04_4.1.15_1.0.0_ga, smarc-imx_v2017.03_4.9.11_1.0.0_ga, smarc-imx_v2017.03_4.9.88_2.0.0_ga, smarc-imx_v2017.03_o8.1.0_1.3.0_8m, smarc-imx_v2018.03_4.14.78_1.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_2.0.0_ga, smarc_8m-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8m-imx_v2019.04_4.19.35_1.1.0, smarc_8m_00d0-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2019.04_4.19.35_1.1.0, smarc_8mm-imx_v2020.04_5.4.24_2.1.0, smarc_8mp_lf_v2020.04, smarc_8mq-imx_v2020.04_5.4.24_2.1.0, smarc_8mq_lf_v2020.04, ti-u-boot-2015.07, v2013.10, v2013.10-smarct33, v2013.10-smartmen, v2014.01, v2014.04, v2014.04-smarct33, v2014.04-smarct33-emmc, v2014.04-smartmen, v2014.07, v2014.07-smarct33, v2014.07-smartmen, v2015.07-smarct33, v2015.07-smarct33-emmc, v2015.07-smarct4x, v2016.05-dlt, v2016.05-smarct3x, v2016.05-smarct3x-emmc, v2016.05-smarct4x, v2017.01-smarct3x, v2017.01-smarct3x-emmc, v2017.01-smarct4x

gzip: correctly bounds-check output buffer 

The output buffer size must not be reset by the gzip decoder or there
is a risk of overflowing memory during decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>

Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff

... ... @@ -89,13 +89,13 @@
89 89 s.avail_out = dstlen;
90 90 do {
91 91 r = inflate(&s, Z_FINISH);
92   - if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) {
  92 + if (stoponerr == 1 && r != Z_STREAM_END &&
  93 + (s.avail_out == 0 || r != Z_BUF_ERROR)) {
93 94 printf("Error: inflate() returned %d\n", r);
94 95 inflateEnd(&s);
95 96 return -1;
96 97 }
97 98 s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst);
98   - s.avail_out = dstlen;
99 99 } while (r == Z_BUF_ERROR);
100 100 *lenp = s.next_out - (unsigned char *) dst;
101 101 inflateEnd(&s);