lzo: correctly bounds-check output buffer

This checks the size of the output buffer and fails if it was going to
overflow the buffer during lzo decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
master
Kees Cook 11 years ago committed by Simon Glass
parent afca294289
commit ff9d2efdbf
  1. 8
      lib/lzo/lzo1x_decompress.c

@ -68,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
unsigned char *start = dst;
const unsigned char *send = src + src_len;
u32 slen, dlen;
size_t tmp;
size_t tmp, remaining;
int r;
src = parse_header(src);
if (!src)
return LZO_E_ERROR;
remaining = *dst_len;
while (src < send) {
/* read uncompressed block size */
dlen = get_unaligned_be32(src);
@ -93,6 +94,10 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
if (slen <= 0 || slen > dlen)
return LZO_E_ERROR;
/* abort if buffer ran out of room */
if (dlen > remaining)
return LZO_E_OUTPUT_OVERRUN;
/* decompress */
tmp = dlen;
r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
@ -105,6 +110,7 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
src += slen;
dst += dlen;
remaining -= dlen;
}
return LZO_E_INPUT_OVERRUN;

Loading…
Cancel
Save