summaryrefslogtreecommitdiff
path: root/payloads/libpayload
diff options
context:
space:
mode:
authorJulius Werner <jwerner@chromium.org>2015-07-16 13:59:57 -0700
committerPatrick Georgi <pgeorgi@google.com>2015-07-21 21:27:42 +0200
commitbf697566da9a59a37d1bf3dfa1839fd5aee33f56 (patch)
treebda58762ed8bce8ca4ebd3adf93f6cac893175d9 /payloads/libpayload
parent7fea2707efcdeb5559c333c96aad5b6632dd0fae (diff)
libpayload: lz4: Add output overrun check to incompressible case
The LZ4 decompressor currently doesn't check for output overruns before writing data in the case where a block had been incompressible (and included verbatim in the compression stream). This is extremely unlikely with the default 4MB blocks, but still a nice thing to fix. We'll still output as much data as we can before returning an error to support partial decompression use cases. This matches the behavior already in place for normal, LZ4-compressed blocks where the decompression function is already (supposed to be) doing complete bounds checking (although it is not guaranteed to output all valid bytes before aborting on an output overrun, and you should try to provide a few dozen bytes of extra buffer space beyond the parts you're interested in on partial decompression). BRANCH=None BUG=chrome-os-partner:32184 TEST=None Change-Id: I5e40c8cec8947ec0ec8f6d8c8fa2574cfb4dc958 Signed-off-by: Patrick Georgi <pgeorgi@chromium.org> Original-Commit-Id: 636985334c9b3b93a12d4066d2829f1f999c9315 Original-Change-Id: Iecf44650aade60b9fa1b13e57da752fb482a3f3f Original-Signed-off-by: Julius Werner <jwerner@chromium.org> Original-Reviewed-on: https://chromium-review.googlesource.com/286240 Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-on: http://review.coreboot.org/11016 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Diffstat (limited to 'payloads/libpayload')
-rw-r--r--payloads/libpayload/liblz4/lz4_wrapper.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c
index b04659783d..431fb55cc0 100644
--- a/payloads/libpayload/liblz4/lz4_wrapper.c
+++ b/payloads/libpayload/liblz4/lz4_wrapper.c
@@ -132,8 +132,12 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
return out - dst; /* decompression successful */
if (b.not_compressed) {
- memcpy(out, in, b.size);
- out += b.size;
+ size_t size = MIN((u32)b.size, dst + dstn - out);
+ memcpy(out, in, size);
+ if (size < b.size)
+ return 0; /* output overrun */
+ else
+ out += size;
} else {
/* constant folding essential, do not touch params! */
int ret = LZ4_decompress_generic(in, out, b.size,