2014-07-16 10:43:44 +00:00
|
|
|
From: Antonios Vamporakis <ant@area128.com>
|
|
|
|
Date: Tue, 31 Dec 2013 01:05:42 +0100
|
|
|
|
Subject: [PATCH] lzma: fix buffer bound check error
|
|
|
|
|
|
|
|
Variable uncompressedSize references the space available, while outSizeFull is
|
|
|
|
the actual expected uncompressed size. Using the wrong value causes LzmaDecode
|
|
|
|
to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While
|
|
|
|
at it add additional debug message.
|
|
|
|
|
|
|
|
Signed-off-by: Antonios Vamporakis <ant@area128.com>
|
|
|
|
CC: Kees Cook <keescook@chromium.org>
|
|
|
|
CC: Simon Glass <sjg@chromium.org>
|
|
|
|
CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
|
|
|
|
CC: Luka Perkov <luka@openwrt.org>
|
|
|
|
---
|
|
|
|
lib/lzma/LzmaTools.c | 5 ++++-
|
|
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
--- a/lib/lzma/LzmaTools.c
|
|
|
|
+++ b/lib/lzma/LzmaTools.c
|
2016-05-21 12:13:36 +02:00
|
|
|
@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned c
|
2014-07-16 10:43:44 +00:00
|
|
|
return SZ_ERROR_OUTPUT_EOF;
|
|
|
|
|
|
|
|
/* Decompress */
|
|
|
|
- outProcessed = *uncompressedSize;
|
|
|
|
+ outProcessed = outSizeFull;
|
|
|
|
|
|
|
|
WATCHDOG_RESET();
|
|
|
|
|
2016-05-21 12:13:36 +02:00
|
|
|
@@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned c
|
2014-07-16 10:43:44 +00:00
|
|
|
inStream + LZMA_DATA_OFFSET, &compressedSize,
|
|
|
|
inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
|
|
|
|
*uncompressedSize = outProcessed;
|
|
|
|
+
|
|
|
|
+ debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
|
|
|
|
+
|
|
|
|
if (res != SZ_OK) {
|
|
|
|
return res;
|
|
|
|
}
|