diff options
Diffstat (limited to 'payloads/libpayload')
-rw-r--r-- | payloads/libpayload/liblz4/lz4.c.inc | 1 | ||||
-rw-r--r-- | payloads/libpayload/liblz4/lz4_wrapper.c | 3 |
2 files changed, 4 insertions, 0 deletions
diff --git a/payloads/libpayload/liblz4/lz4.c.inc b/payloads/libpayload/liblz4/lz4.c.inc index baa911021d..68fac47c89 100644 --- a/payloads/libpayload/liblz4/lz4.c.inc +++ b/payloads/libpayload/liblz4/lz4.c.inc @@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic( if ((length=(token>>ML_BITS)) == RUN_MASK) { unsigned s; + if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */ do { s = *ip++; diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c index d125ce336f..3d17fe6742 100644 --- a/payloads/libpayload/liblz4/lz4_wrapper.c +++ b/payloads/libpayload/liblz4/lz4_wrapper.c @@ -141,6 +141,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn) } while (1) { + if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn) + break; /* input overrun */ + struct lz4_block_header b = { .raw = le32toh(*(uint32_t *)in) }; in += sizeof(struct lz4_block_header); |