[U-Boot] [PATCH v2 01/12] lzma: fix buffer bound check error further

Simon Glass sjg at chromium.org
Tue Dec 2 21:17:29 CET 2014


Commit 4d3b8a0d fixed a problem with lzma decompress where it would
run out of bytes to decompress. The algorithm needs to know how many
uncompressed bytes it is expected to produce.

However, the fix introduced a potential buffer overrun, and causes
the compression test to fail (test_compression command in sandbox).

The correct fix seems to be to use the minimum of the expected number
of uncompressed bytes and the amount of output space available. That
way things work normally when there is enough space, and return an
error (without overrunning available space) when there is not.

Signed-off-by: Antonios Vamporakis <ant at area128.com>
CC: Kees Cook <keescook at chromium.org>
CC: Simon Glass <sjg at chromium.org>
CC: Daniel Schwierzeck <daniel.schwierzeck at gmail.com>
CC: Luka Perkov <luka at openwrt.org>

Signed-off-by: Simon Glass <sjg at chromium.org>
---

Changes in v2: None

 lib/lzma/LzmaTools.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
index cfc7cb0..f88629b 100644
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
         return SZ_ERROR_OUTPUT_EOF;
 
     /* Decompress */
-    outProcessed = outSizeFull;
+    outProcessed = min(outSizeFull, *uncompressedSize);
 
     WATCHDOG_RESET();
 
@@ -112,7 +112,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
         inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
     *uncompressedSize = outProcessed;
 
-    debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
+    debug("LZMA: Uncompressed ............... 0x%zx\n", outProcessed);
 
     if (res != SZ_OK)  {
         return res;
-- 
2.2.0.rc0.207.ga3a616c



More information about the U-Boot mailing list