| 1234567891011121314151617181920212223242526272829303132333435363738394041424344 |
- From: Antonios Vamporakis <ant@area128.com>
- Date: Tue, 31 Dec 2013 01:05:42 +0100
- Subject: [PATCH] lzma: fix buffer bound check error
- Variable uncompressedSize references the space available, while outSizeFull is
- the actual expected uncompressed size. Using the wrong value causes LzmaDecode
- to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While
- at it add additional debug message.
- Signed-off-by: Antonios Vamporakis <ant@area128.com>
- CC: Kees Cook <keescook@chromium.org>
- CC: Simon Glass <sjg@chromium.org>
- CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
- CC: Luka Perkov <luka@openwrt.org>
- ---
- lib/lzma/LzmaTools.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
- diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
- index 0aec2f9..90d31cd 100644
- --- a/lib/lzma/LzmaTools.c
- +++ b/lib/lzma/LzmaTools.c
- @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
- return SZ_ERROR_OUTPUT_EOF;
-
- /* Decompress */
- - outProcessed = *uncompressedSize;
- + outProcessed = outSizeFull;
-
- WATCHDOG_RESET();
-
- @@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
- inStream + LZMA_DATA_OFFSET, &compressedSize,
- inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
- *uncompressedSize = outProcessed;
- +
- + debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
- +
- if (res != SZ_OK) {
- return res;
- }
- --
- 1.8.3.2
|
