[U-Boot,4/6] lzma: correctly bounds-check output buffer

Message ID	1376348524-25510-5-git-send-email-keescook@chromium.org
State	Superseded
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Kees Cook <keescook@chromium.org> To: u-boot@lists.denx.de Date: Mon, 12 Aug 2013 16:02:02 -0700 Message-Id: <1376348524-25510-5-git-send-email-keescook@chromium.org> In-Reply-To: <1376348524-25510-1-git-send-email-keescook@chromium.org> References: <1376348524-25510-1-git-send-email-keescook@chromium.org> Cc: Catalin Radu <Catalin@VirtualMetrix.com> Subject: [U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de

Message ID

1376348524-25510-5-git-send-email-keescook@chromium.org

State

Superseded

Delegated to:

Tom Rini

Headers

From: Kees Cook <keescook@chromium.org>
To: u-boot@lists.denx.de
Date: Mon, 12 Aug 2013 16:02:02 -0700
Message-Id: <1376348524-25510-5-git-send-email-keescook@chromium.org>
In-Reply-To: <1376348524-25510-1-git-send-email-keescook@chromium.org>
References: <1376348524-25510-1-git-send-email-keescook@chromium.org>
Cc: Catalin Radu <Catalin@VirtualMetrix.com>
Subject: [U-Boot] [PATCH 4/6] lzma: correctly bounds-check output buffer
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de

Commit Message

Kees Cook Aug. 12, 2013, 11:02 p.m. UTC

The output buffer size must be correctly passed to the lzma decoder or
there is a risk of overflowing memory during decompression. Switching
to the LZMA_FINISH_END mode means nothing is left in an unknown state
once the buffer becomes full.

Signed-off-by: Kees Cook <keescook@chromium.org>
---
 lib/lzma/LzmaTools.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Simon Glass Aug. 14, 2013, 5:43 p.m. UTC | #1

On Mon, Aug 12, 2013 at 5:02 PM, Kees Cook <keescook@chromium.org> wrote:
> The output buffer size must be correctly passed to the lzma decoder or
> there is a risk of overflowing memory during decompression. Switching
> to the LZMA_FINISH_END mode means nothing is left in an unknown state
> once the buffer becomes full.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>

Acked-by: Simon Glass <sjg@chromium.org>

diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
index 28a8aef..2459fbe 100644
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -113,15 +113,19 @@  int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
     g_Alloc.Alloc = SzAlloc;
     g_Alloc.Free = SzFree;
 
+    /* Short-circuit early if we know the buffer can't hold the results. */
+    if (outSizeFull != (SizeT)-1 && *uncompressedSize < outSizeFull)
+        return SZ_ERROR_OUTPUT_EOF;
+
     /* Decompress */
-    outProcessed = outSizeFull;
+    outProcessed = *uncompressedSize;
 
     WATCHDOG_RESET();
 
     res = LzmaDecode(
         outStream, &outProcessed,
         inStream + LZMA_DATA_OFFSET, &compressedSize,
-        inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &state, &g_Alloc);
+        inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
     *uncompressedSize = outProcessed;
     if (res != SZ_OK)  {
         return res;

[U-Boot,4/6] lzma: correctly bounds-check output buffer

Commit Message

Comments

Patch