[U-Boot] [PATCH] lzma: fix buffer bound check error

Antonios Vamporakis ant at area128.com
Tue Dec 31 02:57:01 CET 2013


Variable uncompressedSize references the space available, while outSizeFull is
the actual expected uncompressed size. Using the wrong value causes LzmaDecode
to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While
at it add additional debug message.

Signed-off-by: Antonios Vamporakis <ant at area128.com>
CC: Kees Cook <keescook at chromium.org>
CC: Simon Glass <sjg at chromium.org>
CC: Daniel Schwierzeck <daniel.schwierzeck at gmail.com>
CC: Luka Perkov <luka at openwrt.org>
---
 lib/lzma/LzmaTools.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
index 0aec2f9..90d31cd 100644
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
         return SZ_ERROR_OUTPUT_EOF;
 
     /* Decompress */
-    outProcessed = *uncompressedSize;
+    outProcessed = outSizeFull;
 
     WATCHDOG_RESET();
 
@@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
         inStream + LZMA_DATA_OFFSET, &compressedSize,
         inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
     *uncompressedSize = outProcessed;
+
+    debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
+
     if (res != SZ_OK)  {
         return res;
     }
-- 
1.8.3.2



More information about the U-Boot mailing list