Commit 4d3b8a0d fixed a problem with lzma decompress where it would run out of bytes to decompress. The algorithm needs to know how many uncompressed bytes it is expected to produce.
However, the fix introduced a potential buffer overrun, and causes the compression test to fail (test_compression command in sandbox).
The correct fix seems to be to use the minimum of the expected number of uncompressed bytes and the amount of output space available. That way things work normally when there is enough space, and return an error (without overrunning available space) when there is not.
Signed-off-by: Antonios Vamporakis ant@area128.com CC: Kees Cook keescook@chromium.org CC: Simon Glass sjg@chromium.org CC: Daniel Schwierzeck daniel.schwierzeck@gmail.com CC: Luka Perkov luka@openwrt.org
Signed-off-by: Simon Glass sjg@chromium.org ---
Changes in v2: None
lib/lzma/LzmaTools.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index cfc7cb0..f88629b 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, return SZ_ERROR_OUTPUT_EOF;
/* Decompress */ - outProcessed = outSizeFull; + outProcessed = min(outSizeFull, *uncompressedSize);
WATCHDOG_RESET();
@@ -112,7 +112,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed;
- debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed); + debug("LZMA: Uncompressed ............... 0x%zx\n", outProcessed);
if (res != SZ_OK) { return res;