Patchwork [U-Boot,5/6] lzo: correctly bounds-check output buffer

login
register
mail settings
Submitter Kees Cook
Date Aug. 16, 2013, 2:59 p.m.
Message ID <1376665157-31268-6-git-send-email-keescook@chromium.org>
Download mbox | patch
Permalink /patch/267672/
State Accepted
Delegated to: Tom Rini
Headers show

Comments

Kees Cook - Aug. 16, 2013, 2:59 p.m.
This checks the size of the output buffer and fails if it was going to
overflow the buffer during lzo decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
---
 lib/lzo/lzo1x_decompress.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Patch

diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c
index e6ff708..35f3793 100644
--- a/lib/lzo/lzo1x_decompress.c
+++ b/lib/lzo/lzo1x_decompress.c
@@ -68,13 +68,14 @@  int lzop_decompress(const unsigned char *src, size_t src_len,
 	unsigned char *start = dst;
 	const unsigned char *send = src + src_len;
 	u32 slen, dlen;
-	size_t tmp;
+	size_t tmp, remaining;
 	int r;
 
 	src = parse_header(src);
 	if (!src)
 		return LZO_E_ERROR;
 
+	remaining = *dst_len;
 	while (src < send) {
 		/* read uncompressed block size */
 		dlen = get_unaligned_be32(src);
@@ -93,6 +94,10 @@  int lzop_decompress(const unsigned char *src, size_t src_len,
 		if (slen <= 0 || slen > dlen)
 			return LZO_E_ERROR;
 
+		/* abort if buffer ran out of room */
+		if (dlen > remaining)
+			return LZO_E_OUTPUT_OVERRUN;
+
 		/* decompress */
 		tmp = dlen;
 		r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
@@ -105,6 +110,7 @@  int lzop_decompress(const unsigned char *src, size_t src_len,
 
 		src += slen;
 		dst += dlen;
+		remaining -= dlen;
 	}
 
 	return LZO_E_INPUT_OVERRUN;