Commit ff9d2efdbf1b3b5263f81e843c6724b8bead7f1f
Committed by
Simon Glass
1 parent
afca294289
Exists in
master
and in
53 other branches
lzo: correctly bounds-check output buffer
This checks the size of the output buffer and fails if it was going to overflow the buffer during lzo decompression. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
Showing 1 changed file with 7 additions and 1 deletions Side-by-side Diff
lib/lzo/lzo1x_decompress.c
... | ... | @@ -68,13 +68,14 @@ |
68 | 68 | unsigned char *start = dst; |
69 | 69 | const unsigned char *send = src + src_len; |
70 | 70 | u32 slen, dlen; |
71 | - size_t tmp; | |
71 | + size_t tmp, remaining; | |
72 | 72 | int r; |
73 | 73 | |
74 | 74 | src = parse_header(src); |
75 | 75 | if (!src) |
76 | 76 | return LZO_E_ERROR; |
77 | 77 | |
78 | + remaining = *dst_len; | |
78 | 79 | while (src < send) { |
79 | 80 | /* read uncompressed block size */ |
80 | 81 | dlen = get_unaligned_be32(src); |
... | ... | @@ -93,6 +94,10 @@ |
93 | 94 | if (slen <= 0 || slen > dlen) |
94 | 95 | return LZO_E_ERROR; |
95 | 96 | |
97 | + /* abort if buffer ran out of room */ | |
98 | + if (dlen > remaining) | |
99 | + return LZO_E_OUTPUT_OVERRUN; | |
100 | + | |
96 | 101 | /* decompress */ |
97 | 102 | tmp = dlen; |
98 | 103 | r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp); |
... | ... | @@ -105,6 +110,7 @@ |
105 | 110 | |
106 | 111 | src += slen; |
107 | 112 | dst += dlen; |
113 | + remaining -= dlen; | |
108 | 114 | } |
109 | 115 | |
110 | 116 | return LZO_E_INPUT_OVERRUN; |