diff options
author | Julius Werner <jwerner@chromium.org> | 2015-07-16 13:59:57 -0700 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2015-07-21 21:27:42 +0200 |
commit | bf697566da9a59a37d1bf3dfa1839fd5aee33f56 (patch) | |
tree | bda58762ed8bce8ca4ebd3adf93f6cac893175d9 /payloads/libpayload | |
parent | 7fea2707efcdeb5559c333c96aad5b6632dd0fae (diff) |
libpayload: lz4: Add output overrun check to incompressible case
The LZ4 decompressor currently doesn't check for output overruns before
writing data in the case where a block had been incompressible (and
included verbatim in the compression stream). This is extremely unlikely
with the default 4MB blocks, but still a nice thing to fix. We'll still
output as much data as we can before returning an error to support
partial decompression use cases.
This matches the behavior already in place for normal, LZ4-compressed
blocks where the decompression function is already (supposed to be)
doing complete bounds checking (although it is not guaranteed to output
all valid bytes before aborting on an output overrun, and you should try
to provide a few dozen bytes of extra buffer space beyond the parts
you're interested in on partial decompression).
BRANCH=None
BUG=chrome-os-partner:32184
TEST=None
Change-Id: I5e40c8cec8947ec0ec8f6d8c8fa2574cfb4dc958
Signed-off-by: Patrick Georgi <pgeorgi@chromium.org>
Original-Commit-Id: 636985334c9b3b93a12d4066d2829f1f999c9315
Original-Change-Id: Iecf44650aade60b9fa1b13e57da752fb482a3f3f
Original-Signed-off-by: Julius Werner <jwerner@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/286240
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-on: http://review.coreboot.org/11016
Tested-by: build bot (Jenkins)
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Diffstat (limited to 'payloads/libpayload')
-rw-r--r-- | payloads/libpayload/liblz4/lz4_wrapper.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c index b04659783d..431fb55cc0 100644 --- a/payloads/libpayload/liblz4/lz4_wrapper.c +++ b/payloads/libpayload/liblz4/lz4_wrapper.c @@ -132,8 +132,12 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn) return out - dst; /* decompression successful */ if (b.not_compressed) { - memcpy(out, in, b.size); - out += b.size; + size_t size = MIN((u32)b.size, dst + dstn - out); + memcpy(out, in, size); + if (size < b.size) + return 0; /* output overrun */ + else + out += size; } else { /* constant folding essential, do not touch params! */ int ret = LZ4_decompress_generic(in, out, b.size, |