|
|
@@ -0,0 +1,44 @@
|
|
|
+From: Antonios Vamporakis <[email protected]>
|
|
|
+Date: Tue, 31 Dec 2013 01:05:42 +0100
|
|
|
+Subject: [PATCH] lzma: fix buffer bound check error
|
|
|
+
|
|
|
+Variable uncompressedSize references the space available, while outSizeFull is
|
|
|
+the actual expected uncompressed size. Using the wrong value causes LzmaDecode
|
|
|
+to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While
|
|
|
+at it add additional debug message.
|
|
|
+
|
|
|
+Signed-off-by: Antonios Vamporakis <[email protected]>
|
|
|
+CC: Kees Cook <[email protected]>
|
|
|
+CC: Simon Glass <[email protected]>
|
|
|
+CC: Daniel Schwierzeck <[email protected]>
|
|
|
+CC: Luka Perkov <[email protected]>
|
|
|
+---
|
|
|
+ lib/lzma/LzmaTools.c | 5 ++++-
|
|
|
+ 1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
+
|
|
|
+diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
|
|
|
+index 0aec2f9..90d31cd 100644
|
|
|
+--- a/lib/lzma/LzmaTools.c
|
|
|
++++ b/lib/lzma/LzmaTools.c
|
|
|
+@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
|
|
|
+ return SZ_ERROR_OUTPUT_EOF;
|
|
|
+
|
|
|
+ /* Decompress */
|
|
|
+- outProcessed = *uncompressedSize;
|
|
|
++ outProcessed = outSizeFull;
|
|
|
+
|
|
|
+ WATCHDOG_RESET();
|
|
|
+
|
|
|
+@@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
|
|
|
+ inStream + LZMA_DATA_OFFSET, &compressedSize,
|
|
|
+ inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
|
|
|
+ *uncompressedSize = outProcessed;
|
|
|
++
|
|
|
++ debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
|
|
|
++
|
|
|
+ if (res != SZ_OK) {
|
|
|
+ return res;
|
|
|
+ }
|
|
|
+--
|
|
|
+1.8.3.2
|
|
|
+
|
John Crispin