diff mbox

[U-Boot,3/6] gzip: correctly bounds-check output buffer

Message ID 1376348524-25510-4-git-send-email-keescook@chromium.org
State Superseded
Delegated to: Tom Rini
Headers show

Commit Message

Kees Cook Aug. 12, 2013, 11:02 p.m. UTC 
The output buffer size not be reset by the gzip decoder or there is a
risk of overflowing memory during decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/gunzip.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Simon Glass Aug. 14, 2013, 5:37 p.m. UTC | #1 
On Mon, Aug 12, 2013 at 5:02 PM, Kees Cook <keescook@chromium.org> wrote:
> The output buffer size not be reset by the gzip decoder or there is a
> risk of overflowing memory during decompression.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>

Looks right to me.

Acked-by: Simon Glass <sjg@chromium.org>
diff mbox

Patch

diff --git a/lib/gunzip.c b/lib/gunzip.c
index 99a8ab0..682a05f 100644
--- a/lib/gunzip.c
+++ b/lib/gunzip.c
@@ -105,13 +105,13 @@  int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp,
 	s.avail_out = dstlen;
 	do {
 		r = inflate(&s, Z_FINISH);
-		if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) {
+		if (stoponerr == 1 && r != Z_STREAM_END &&
+		    (s.avail_out == 0 || r != Z_BUF_ERROR)) {
 			printf("Error: inflate() returned %d\n", r);
 			inflateEnd(&s);
 			return -1;
 		}
 		s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst);
-		s.avail_out = dstlen;
 	} while (r == Z_BUF_ERROR);
 	*lenp = s.next_out - (unsigned char *) dst;
 	inflateEnd(&s);