40 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			40 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From: Antonios Vamporakis <ant@area128.com>
 | |
| Date: Tue, 31 Dec 2013 01:05:42 +0100
 | |
| Subject: [PATCH] lzma: fix buffer bound check error
 | |
| 
 | |
| Variable uncompressedSize references the space available, while outSizeFull is
 | |
| the actual expected uncompressed size. Using the wrong value causes LzmaDecode
 | |
| to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While
 | |
| at it add additional debug message.
 | |
| 
 | |
| Signed-off-by: Antonios Vamporakis <ant@area128.com>
 | |
| CC: Kees Cook <keescook@chromium.org>
 | |
| CC: Simon Glass <sjg@chromium.org>
 | |
| CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
 | |
| CC: Luka Perkov <luka@openwrt.org>
 | |
| ---
 | |
|  lib/lzma/LzmaTools.c | 5 ++++-
 | |
|  1 file changed, 4 insertions(+), 1 deletion(-)
 | |
| 
 | |
| --- a/lib/lzma/LzmaTools.c
 | |
| +++ b/lib/lzma/LzmaTools.c
 | |
| @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned c
 | |
|          return SZ_ERROR_OUTPUT_EOF;
 | |
|  
 | |
|      /* Decompress */
 | |
| -    outProcessed = *uncompressedSize;
 | |
| +    outProcessed = outSizeFull;
 | |
|  
 | |
|      WATCHDOG_RESET();
 | |
|  
 | |
| @@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned c
 | |
|          inStream + LZMA_DATA_OFFSET, &compressedSize,
 | |
|          inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
 | |
|      *uncompressedSize = outProcessed;
 | |
| +
 | |
| +    debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
 | |
| +
 | |
|      if (res != SZ_OK)  {
 | |
|          return res;
 | |
|      }
 | 
