From f6eec89fa30009aabac081158e36364dc025a3a4 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Tue, 2 Dec 2014 13:17:29 -0700 Subject: lzma: fix buffer bound check error further Commit 4d3b8a0d fixed a problem with lzma decompress where it would run out of bytes to decompress. The algorithm needs to know how many uncompressed bytes it is expected to produce. However, the fix introduced a potential buffer overrun, and causes the compression test to fail (test_compression command in sandbox). The correct fix seems to be to use the minimum of the expected number of uncompressed bytes and the amount of output space available. That way things work normally when there is enough space, and return an error (without overrunning available space) when there is not. Signed-off-by: Antonios Vamporakis CC: Kees Cook CC: Simon Glass CC: Daniel Schwierzeck CC: Luka Perkov Signed-off-by: Simon Glass --- lib/lzma/LzmaTools.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index cfc7cb02f7..f88629b74f 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, return SZ_ERROR_OUTPUT_EOF; /* Decompress */ - outProcessed = outSizeFull; + outProcessed = min(outSizeFull, *uncompressedSize); WATCHDOG_RESET(); @@ -112,7 +112,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed; - debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed); + debug("LZMA: Uncompressed ............... 0x%zx\n", outProcessed); if (res != SZ_OK) { return res; -- cgit