diff options
author | Hung-Te Lin <hungte@chromium.org> | 2013-01-31 12:14:46 +0800 |
---|---|---|
committer | Ronald G. Minnich <rminnich@gmail.com> | 2013-02-01 06:15:49 +0100 |
commit | d51557ade2a9f29cbb4e0f38d5a4920b42486168 (patch) | |
tree | 970bb9b9100e021bd7f626210e24fc65c7af3d23 | |
parent | 05dccae75df4ed0c6a75867a89cf1a4055507e28 (diff) |
lib: Prevent unaligned memory access and fix endianess in LZMA decode library.
LZMA decode library used to retrieve output size by:
outSize = *(UInt32 *)(src + LZMA_PROPERTIES_SIZE);
'src' is aligned but LZMA_PROPERTIES_SIZE may refer to an unaligned address like
src+5, and using that as integer pointer may fail on platforms like ARM. Also
this will fail on systems using big-endian (outSize was encoded in
little-endian).
To fix this, reconstruct outSize in little-endian way.
Change-Id: If678e735cb270c3e5e29f36f1fad318096bf7d59
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: http://review.coreboot.org/2246
Tested-by: build bot (Jenkins)
Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
-rw-r--r-- | src/lib/lzma.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/lzma.c b/src/lib/lzma.c index f0b88c12e2..cd60b3f3b2 100644 --- a/src/lib/lzma.c +++ b/src/lib/lzma.c @@ -29,9 +29,15 @@ unsigned long ulzma(unsigned char * src, unsigned char * dst) #endif /* in pre-ram, it must go on the stack */ unsigned char scratchpad[15980]; + unsigned char *cp; memcpy(properties, src, LZMA_PROPERTIES_SIZE); - outSize = *(UInt32 *)(src + LZMA_PROPERTIES_SIZE); + /* The outSize in LZMA stream is a 64bit integer stored in little-endian + * (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by + * unaligned memory address and to load in correct endianess, read each + * byte and re-costruct. */ + cp = src + LZMA_PROPERTIES_SIZE; + outSize = cp[3] << 24 | cp[2] << 16 | cp[1] << 8 | cp[0]; if (LzmaDecodeProperties(&state.Properties, properties, LZMA_PROPERTIES_SIZE) != LZMA_RESULT_OK) { printk(BIOS_WARNING, "lzma: Incorrect stream properties.\n"); return 0; |