libpayload: Fix possible NULL deref in cbfs_get_file_content()

Change-Id: I2e10ccac3248717d90838ca721cc691de792b507
Signed-off-by: Nico Huber <nico.huber@secunet.com>
Reviewed-on: http://review.coreboot.org/11780
Tested-by: build bot (Jenkins)
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>

1 files changed, 7 insertions, 6 deletions

diff --git a/payloads/libpayload/libcbfs/cbfs_core.c b/payloads/libpayload/libcbfs/cbfs_core.c
index 4c898c62ac..369d946f81 100644
--- a/payloads/libpayload/libcbfs/cbfs_core.c
+++ b/payloads/libpayload/libcbfs/cbfs_core.c
@@ -207,14 +207,12 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
 		return NULL;
 	}
 
-	if (sz)
-		*sz = ntohl(file->len);
-
 	void *file_content = (void *)CBFS_SUBHEADER(file);
 
 	struct cbfs_file_attribute *attr =
 		cbfs_file_find_attr(file, CBFS_FILE_ATTR_TAG_COMPRESSION);
 
+	size_t final_size = ntohl(file->len);
 	int compression_algo = CBFS_COMPRESS_NONE;
 	if (attr) {
 		struct cbfs_file_attr_compression *comp =
@@ -222,16 +220,19 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
 		compression_algo = ntohl(comp->compression);
 		DEBUG("File '%s' is compressed (alg=%d)\n",
 		      name, compression_algo);
-		*sz = ntohl(comp->decompressed_size);
+		final_size = ntohl(comp->decompressed_size);
 	}
 
-	void *dst = malloc(*sz);
+	void *dst = malloc(final_size);
 	if (dst == NULL)
 		goto err;
 
-	if (!cbfs_decompress(compression_algo, file_content, dst, *sz))
+	if (!cbfs_decompress(compression_algo, file_content, dst, final_size))
 		goto err;
 
+	if (sz)
+		*sz = final_size;
+
 	media->unmap(media, file);
 	return dst;