Commit ff9d2efdbf1b3b5263f81e843c6724b8bead7f1f
Committed by
Simon Glass
Simon Glass
1 parent
afca294289
Exists in
master
and in
53 other branches
lzo: correctly bounds-check output buffer
This checks the size of the output buffer and fails if it was going to overflow the buffer during lzo decompression. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
Showing 1 changed file with 7 additions and 1 deletions Side-by-side Diff
lib/lzo/lzo1x_decompress.c
| ... | ... | @@ -68,13 +68,14 @@ |
| 68 | 68 | unsigned char *start = dst; |
| 69 | 69 | const unsigned char *send = src + src_len; |
| 70 | 70 | u32 slen, dlen; |
| 71 | - size_t tmp; | |
| 71 | + size_t tmp, remaining; | |
| 72 | 72 | int r; |
| 73 | 73 | |
| 74 | 74 | src = parse_header(src); |
| 75 | 75 | if (!src) |
| 76 | 76 | return LZO_E_ERROR; |
| 77 | 77 | |
| 78 | + remaining = *dst_len; | |
| 78 | 79 | while (src < send) { |
| 79 | 80 | /* read uncompressed block size */ |
| 80 | 81 | dlen = get_unaligned_be32(src); |
| ... | ... | @@ -93,6 +94,10 @@ |
| 93 | 94 | if (slen <= 0 || slen > dlen) |
| 94 | 95 | return LZO_E_ERROR; |
| 95 | 96 | |
| 97 | + /* abort if buffer ran out of room */ | |
| 98 | + if (dlen > remaining) | |
| 99 | + return LZO_E_OUTPUT_OVERRUN; | |
| 100 | + | |
| 96 | 101 | /* decompress */ |
| 97 | 102 | tmp = dlen; |
| 98 | 103 | r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp); |
| ... | ... | @@ -105,6 +110,7 @@ |
| 105 | 110 | |
| 106 | 111 | src += slen; |
| 107 | 112 | dst += dlen; |
| 113 | + remaining -= dlen; | |
| 108 | 114 | } |
| 109 | 115 | |
| 110 | 116 | return LZO_E_INPUT_OVERRUN; |