From bf697566da9a59a37d1bf3dfa1839fd5aee33f56 Mon Sep 17 00:00:00 2001 From: Julius Werner Date: Thu, 16 Jul 2015 13:59:57 -0700 Subject: libpayload: lz4: Add output overrun check to incompressible case The LZ4 decompressor currently doesn't check for output overruns before writing data in the case where a block had been incompressible (and included verbatim in the compression stream). This is extremely unlikely with the default 4MB blocks, but still a nice thing to fix. We'll still output as much data as we can before returning an error to support partial decompression use cases. This matches the behavior already in place for normal, LZ4-compressed blocks where the decompression function is already (supposed to be) doing complete bounds checking (although it is not guaranteed to output all valid bytes before aborting on an output overrun, and you should try to provide a few dozen bytes of extra buffer space beyond the parts you're interested in on partial decompression). BRANCH=None BUG=chrome-os-partner:32184 TEST=None Change-Id: I5e40c8cec8947ec0ec8f6d8c8fa2574cfb4dc958 Signed-off-by: Patrick Georgi Original-Commit-Id: 636985334c9b3b93a12d4066d2829f1f999c9315 Original-Change-Id: Iecf44650aade60b9fa1b13e57da752fb482a3f3f Original-Signed-off-by: Julius Werner Original-Reviewed-on: https://chromium-review.googlesource.com/286240 Original-Reviewed-by: Aaron Durbin Reviewed-on: http://review.coreboot.org/11016 Tested-by: build bot (Jenkins) Reviewed-by: Stefan Reinauer Reviewed-by: Paul Menzel --- payloads/libpayload/liblz4/lz4_wrapper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'payloads/libpayload/liblz4') diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c index b04659783d..431fb55cc0 100644 --- a/payloads/libpayload/liblz4/lz4_wrapper.c +++ b/payloads/libpayload/liblz4/lz4_wrapper.c @@ -132,8 +132,12 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn) return out - dst; /* decompression successful */ if (b.not_compressed) { - memcpy(out, in, b.size); - out += b.size; + size_t size = MIN((u32)b.size, dst + dstn - out); + memcpy(out, in, size); + if (size < b.size) + return 0; /* output overrun */ + else + out += size; } else { /* constant folding essential, do not touch params! */ int ret = LZ4_decompress_generic(in, out, b.size, -- cgit v1.2.3