lzo: correctly bounds-check output buffer

This checks the size of the output buffer and fails if it was going to overflow the buffer during lzo decompression. Signed-off-by: N Kees Cook <keescook@chromium.org> Acked-by: N Simon Glass <sjg@chromium.org>

lzo: correctly bounds-check output buffer
This checks the size of the output buffer and fails if it was going to overflow the buffer during lzo decompression. Signed-off-by: N Kees Cook <keescook@chromium.org> Acked-by: N Simon Glass <sjg@chromium.org>
ff9d2efd · Kees Cook · Simon Glass · afca2942 · ff9d2efd
隐藏空白更改
内联并排

Showing with 7 addition and 1 deletion

lib/lzo/lzo1x_decompress.c lib/lzo/lzo1x_decompress.c +7 -1

未找到文件。
--- a/lib/lzo/lzo1x_decompress.c
+++ b/lib/lzo/lzo1x_decompress.c
@@ -68,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
 	unsigned char *start = dst;
 	const unsigned char *send = src + src_len;
 	u32 slen, dlen;
-	size_t tmp;
+	size_t tmp, remaining;
 	int r;

 	src = parse_header(src);
 	if (!src)
 		return LZO_E_ERROR;

+	remaining = *dst_len;
 	while (src < send) {
 		/* read uncompressed block size */
 		dlen = get_unaligned_be32(src);
@@ -93,6 +94,10 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
 		if (slen <= 0 || slen > dlen)
 			return LZO_E_ERROR;

+		/* abort if buffer ran out of room */
+		if (dlen > remaining)
+			return LZO_E_OUTPUT_OVERRUN;
+
 		/* decompress */
 		tmp = dlen;
 		r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
@@ -105,6 +110,7 @@ int lzop_decompress(const unsigned char *src, size_t src_len,

 		src += slen;
 		dst += dlen;
+		remaining -= dlen;
 	}

 	return LZO_E_INPUT_OVERRUN;